Loading...

mosque
partly-cloudy
°C,
العربية
Sharjah - Universities

AUS undergraduate uncovers security flaw in Python library, PyCel

May 19, 2025 / 12:27 PM
AUS undergraduate uncovers security flaw in Python library, PyCel
download-img
Sharjah 24: Adham Elmosalamy, a computer science and engineering student from the College of Engineering at American University of Sharjah (AUS), recently discovered a critical security vulnerability in PyCel, an open-source Python library used to process Excel files.

The vulnerability has been officially added to CVE database

The vulnerability has since been officially added to the global Common Vulnerabilities and Exposures (CVE) database maintained by the US-based MITRE Corporation, a not-for-profit organization that plays a critical role in global cybersecurity. Most CVEs are reported by professional researchers, cybersecurity firms or PhD-level academics, which makes Elmosalamy’s contribution particularly notable.

“This is a significant achievement that speaks to the quality of students we nurture at AUS,” said Dr. Fadi Aloul, Dean of CEN. “Being assigned a CVE by MITRE is akin to earning a black belt in cybersecurity—a sign of exceptional skill. For an undergraduate to reach this level is remarkable. We are very proud of Elmosalamy’s positive impact in the global cybersecurity domain.”

First identified the issue in November 2024

Elmosalamy first identified the issue in November 2024 during an independent review of open-source libraries. Within days, he developed a proof-of-concept and submitted a detailed report to MITRE. MITRE then validated the findings and assigned the official CVE number CVE-2024-53924. This number is a standardized identifier that can be used by developers, software engineers and other professionals around the world to track and respond to publicly disclosed cybersecurity flaws in software.

Elmosalamy’s CVE-2024-53924 is known as a code execution vulnerability—one of the most severe types of software security risks. It affects users of PyCel who open untrusted Excel files, potentially allowing attackers to execute malicious code on their systems. It was assigned a CVSS severity score of 9.8/10, classifying it as “critical” by the National Institute of Standards and Technology (NIST), which is responsible for evaluating and scoring CVEs through its National Vulnerability Database.

Since assigning the CVE, MITRE has contacted the software vendors to fix the vulnerability. As of April 17, it began publicising the issue to try to protect all users vulnerable to the software.

“This is my first CVE, which is very special to me”

“This is my first CVE, which is very special to me. It's incredibly rewarding to see my knowledge applied in a way that contributes to securing our cyber infrastructure,” said Elmosalamy. “This milestone reflects the many hours I’ve dedicated to learning and practicing cybersecurity, and I hope it encourages other students to explore this vital field.

An AUS student first inspired me during my freshman year—someone whose passion left a lasting impression despite graduating that same semester. Since then, I’ve dedicated myself to creating a thriving cybersecurity community at AUS and competed in the Collegiate Penetration Testing Competition (CPTC) for three consecutive years. In 2022, I reached the finals in Rochester, New York. I later founded the Society of Cybersecurity (SOC) in 2023, through which I hosted 27 events over three semesters, from industry talks to bootcamps and an outreach workshop for high schoolers.

Today, Elmosalamy is studying and AUS and working at CTFAE, a startup founded by AUS alumni, where he has built new products and helped organize major events, including the Guinness World Record-holding BlackHat Middle East cybersecurity conference in Riyadh.

“I’m deeply committed to establishing AUS as a regional leader in cybersecurity education”

“I’m deeply committed to establishing AUS as a regional leader in cybersecurity education, and I hope to see the university offer more specialized courses in areas like digital forensics, threat hunting and cryptography in future,” he said.

Elmosalamy has published a technical explanation of his findings on GitHub, along with a video demonstration, to raise awareness among developers and end-users alike.

CEN offers talented students a range of programs that prepare them for cutting-edge careers in technology and cybersecurity, including the Bachelor of Science in Computer Engineering, Bachelor of Science in Computer Science, Master of Science in Computer Engineering (MSCOE) and the PhD in Electrical and Computer Engineering (PhD-ECE). The college’s programs equip students with a strong foundation in IT, engineering and cybersecurity, and give them a competitive edge by incorporating emerging topics such as AI and machine learning—part of the college’s recent CEN 2.0 curriculum enhancements.

May 19, 2025 / 12:27 PM

Related Topics

More on this Topic

Innovation takes center stage at UOS’s 3rd Dental Forum
01 day
Universities
Innovation takes center stage at UOS’s 3rd Dental Forum
Al Qasimia University hosts 3rd strategic performance forum
01 day
Universities
Al Qasimia University hosts 3rd strategic performance forum
AQU raises health awareness among female students
03 DAYS
Universities
AQU raises health awareness among female students
UOS’s Fine Arts and Design celebrates 'Exit Show XX' exhibition
04 DAYS
Universities
UOS’s Fine Arts and Design celebrates 'Exit Show XX' exhibition

Rotate For an optimal experience, please
rotate your device to portrait mode.