CVE-2025-54370 (GCVE-0-2025-54370)

Vulnerability from cvelistv5

Published

2025-08-25 14:08

Modified

2025-08-25 14:34

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.

References

URL

Tags

	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh

Impacted products

	Vendor	Product	Version
	PHPOffice	PhpSpreadsheet	Version: < 1.30.0 Version: >= 2.0.0, < 2.1.12 Version: >= 2.2.0, < 2.4.0 Version: >= 3.0.0, < 3.10.0 Version: >= 4.0.0, < 5.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54370",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-25T14:34:28.362382Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-25T14:34:39.628Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PhpSpreadsheet",
          "vendor": "PHPOffice",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.30.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.1.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.2.0, \u003c 2.4.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.10.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 5.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-25T14:08:58.228Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh"
        },
        {
          "name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a"
        },
        {
          "name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39"
        },
        {
          "name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31"
        },
        {
          "name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09"
        },
        {
          "name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266"
        }
      ],
      "source": {
        "advisory": "GHSA-rx7m-68vc-ppxh",
        "discovery": "UNKNOWN"
      },
      "title": "PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54370",
    "datePublished": "2025-08-25T14:08:58.228Z",
    "dateReserved": "2025-07-21T16:12:20.732Z",
    "dateUpdated": "2025-08-25T14:34:39.628Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54370\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-25T14:15:33.117\",\"lastModified\":\"2025-08-25T20:24:45.327\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\\\\PhpSpreadsheet\\\\Worksheet\\\\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54370\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-25T14:34:28.362382Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-25T14:34:32.955Z\"}}], \"cna\": {\"title\": \"PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser\", \"source\": {\"advisory\": \"GHSA-rx7m-68vc-ppxh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"PHPOffice\", \"product\": \"PhpSpreadsheet\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.30.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.1.12\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.2.0, \u003c 2.4.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.10.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 5.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh\", \"name\": \"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a\", \"name\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39\", \"name\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31\", \"name\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09\", \"name\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266\", \"name\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\\\\PhpSpreadsheet\\\\Worksheet\\\\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-25T14:08:58.228Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54370\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-25T14:34:39.628Z\", \"dateReserved\": \"2025-07-21T16:12:20.732Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-25T14:08:58.228Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-rx7m-68vc-ppxh

Vulnerability from github

Published

2025-08-25 14:32

Modified

2025-08-29 21:09

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser

Details

Product: PhpSpreadsheet Version: 3.8.0 CWE-ID: CWE-918: Server-Side Request Forgery (SSRF) CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) Description: SSRF occurs when a processed HTML document is read and displayed in the browser Impact: Server-Side Request Forgery Vulnerable component: the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, setPath method Exploitation conditions: getting a string from the user that is passed to the HTML reader Mitigation: improved processing of the $path variable of the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class is needed Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Server-Side Request Forgery (SSRF) (in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class) in Phpspreadsheet. The latest version (3.8.0) of the phpoffice/phpspreadsheet library was installed. Below are the details of the installation:

Listing 1. Installing the phpoffice/phpspreadsheet library $ composer require phpoffice/phpspreadsheet --prefer-source The code that processes the HTML string with further rendering and displaying the result in the browser. Listing 2. Executable file index.php using the PhpSpreadsheet library ```

load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); ``` Also, the `./doc/file.html` has the following content: the `img` tag with the `src` attribute, which contains the value `http:// 127.0.0.1:1337` *Listing 3. The ./doc/file.html file* ```

``` The vulnerability lies in the `setPath` method of the `PhpOffice\PhpSpreadsheet\Worksheet\Drawing` class. Figure 1. The `PhpOffice\PhpSpreadsheet\Worksheet\Drawing` class, `setPath` method. ![fig1](https://github.com/user-attachments/assets/75433f59-fac6-46d5-bcfd-6d0174bfcedd) Figure 2 below demonstrates the SSRF vulnerability exploitation. ![fig2](https://github.com/user-attachments/assets/3601692b-b077-420f-a2fb-8af0b66b6475) Figure 2. Demonstration of the SSRF vulnerability exploitation Also, there is code on line 154 that could potentially be used by an attacker to perform unsafe deserialization via the `phar` archive and the `file_exists` method. Figure 3. Opportunity to perform phar deserialization ![fig3](https://github.com/user-attachments/assets/3d7d4fc2-1b89-4925-82fa-e21c773efd47) _____________________________________________ Please, assign all credits to: Aleksey Solovev (Positive Technologies) # Credit Aleksey Solovev (Positive Technologies) ?>

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-25T14:32:32Z",
    "nvd_published_at": "2025-08-25T14:15:33Z",
    "severity": "HIGH"
  },
  "details": "**Product:** PhpSpreadsheet\n**Version:** 3.8.0\n**CWE-ID:** CWE-918: Server-Side Request Forgery (SSRF)\n**CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n**CVSS vector v.4.0:** 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)\n**Description:** SSRF occurs when a processed HTML document is read and displayed in the browser\n**Impact:** Server-Side Request Forgery\n**Vulnerable component:** the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class, `setPath` method\n**Exploitation conditions:** getting a string from the user that is passed to the HTML reader\n**Mitigation:** improved processing of the `$path` variable of the `setPath` method of the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class is needed\n**Researcher: Aleksey Solovev (Positive Technologies)**\n\n# Research\nThe researcher discovered zero-day vulnerability Server-Side Request Forgery (SSRF) (in the `setPath` method of the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class) in Phpspreadsheet.\nThe latest version (3.8.0) of the `phpoffice/phpspreadsheet` library was installed. Below are the details of the installation:\n\n*Listing 1. Installing the phpoffice/phpspreadsheet library*\n```\n$ composer require phpoffice/phpspreadsheet --prefer-source\n```\nThe code that processes the HTML string with further rendering and displaying the result in the browser.\n*Listing 2. Executable file index.php using the PhpSpreadsheet library*\n```\n\u003c?php\n\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n$inputFileType = \u0027Html\u0027;\n$reader = \\PhpOffice\\PhpSpreadsheet\\IOFactory::createReader($inputFileType);  \n\n\n$inputFileName = \u0027./doc/file.html\u0027;\n$spreadsheet = $reader-\u003eload($inputFileName); \n\n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet); \nprint($writer-\u003egenerateHTMLAll());\n```\n\nAlso, the `./doc/file.html` has the following content: the `img` tag with the `src` attribute, which contains the value `http:// 127.0.0.1:1337`\n\n*Listing 3. The ./doc/file.html file*\n```\n\u003ctable\u003e\n    \u003ctr\u003e\n        \u003cimg src=\"http://127.0.0.1:1337\"\u003e\n    \u003c/tr\u003e\n\u003c/table\u003e\n```\nThe vulnerability lies in the `setPath` method of the `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class.\n \nFigure 1. The `PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing` class, `setPath` method.\n\n![fig1](https://github.com/user-attachments/assets/75433f59-fac6-46d5-bcfd-6d0174bfcedd)\n\nFigure 2 below demonstrates the SSRF vulnerability exploitation.\n\n![fig2](https://github.com/user-attachments/assets/3601692b-b077-420f-a2fb-8af0b66b6475)\n\nFigure 2. Demonstration of the SSRF vulnerability exploitation\n\nAlso, there is code on line 154 that could potentially be used by an attacker to perform unsafe deserialization via the `phar` archive and the `file_exists` method.\n \nFigure 3. Opportunity to perform phar deserialization\n![fig3](https://github.com/user-attachments/assets/3d7d4fc2-1b89-4925-82fa-e21c773efd47)\n\n_____________________________________________\n\nPlease, assign all credits to: Aleksey Solovev (Positive Technologies)\n\n# Credit\n\nAleksey Solovev (Positive Technologies)",
  "id": "GHSA-rx7m-68vc-ppxh",
  "modified": "2025-08-29T21:09:00Z",
  "published": "2025-08-25T14:32:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54370"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2025-54370.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser"
}

fkie_cve-2025-54370

Vulnerability from fkie_nvd

Published

2025-08-25 14:15

Modified

2025-08-25 20:24

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0."
    },
    {
      "lang": "es",
      "value": "PhpOffice/PhpSpreadsheet es una librer\u00eda PHP pura para leer y escribir archivos de hojas de c\u00e1lculo. En versiones anteriores a las 1.30.0, 2.1.12, 2.4.0, 3.10.0 y 5.0.0, la SSRF pod\u00eda ocurrir al leer y mostrar en el navegador un documento HTML procesado. La vulnerabilidad reside en el m\u00e9todo setPath de la clase PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing, donde se pasa una cadena manipulada por el usuario al lector HTML. Este problema se ha corregido en las versiones 1.30.0, 2.1.12, 2.4.0, 3.10.0 y 5.0.0."
    }
  ],
  "id": "CVE-2025-54370",
  "lastModified": "2025-08-25T20:24:45.327",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-08-25T14:15:33.117",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-54370 (GCVE-0-2025-54370)

Vulnerability from cvelistv5

ghsa-rx7m-68vc-ppxh

Vulnerability from github

Research

fkie_cve-2025-54370

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature