{"id":6517,"date":"2025-08-29T10:03:37","date_gmt":"2025-08-29T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/29\/phpspreadsheet-library-vulnerability-enables-attackers-to-feed-malicious-html-input\/"},"modified":"2025-08-29T10:03:37","modified_gmt":"2025-08-29T10:03:37","slug":"phpspreadsheet-library-vulnerability-enables-attackers-to-feed-malicious-html-input","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/29\/phpspreadsheet-library-vulnerability-enables-attackers-to-feed-malicious-html-input\/","title":{"rendered":"PhpSpreadsheet Library Vulnerability Enables Attackers to Feed Malicious HTML Input"},"content":{"rendered":"

PhpSpreadsheet Library Vulnerability Enables Attackers to Feed Malicious HTML Input
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the widely used PhpSpreadsheet library, potentially allowing attackers to exploit internal network resources and compromise server security.\u00a0<\/p>\n

The vulnerability, tracked as CVE-2025-54370, affects multiple versions of the phpoffice\/phpspreadsheet package and carries a CVSS v4.0 score of 8.7.<\/p>\n

Key Takeaways<\/strong>
<\/mark>1. SSRF in PhpSpreadsheet\u2019s WorksheetDrawing::setPath via malicious HTML image tags.
2. Affects < 1.30.0, 2.0.0\u20132.1.11, 2.2.0\u20132.3.x, 3.0.0\u20133.9.x, 4.x\u2009<\u20095.0.0
3. Update immediately and validate inputs.<\/pre>\n
High-Severity SSRF Vulnerability<\/strong><\/h2>\n
The vulnerability resides in the setPath method of the PhpOfficePhpSpreadsheetWorksheetDrawing class, where malicious HTML input can trigger unauthorized server-side requests.\u00a0<\/p>\n
Security researcher Aleksey Solovev from Positive Technologies discovered this zero-day flaw while analyzing version 3.8.0 of the library.<\/p>\n
The exploitation occurs when attackers craft malicious HTML<\/a> documents containing image tags with src attributes pointing to internal network resources.\u00a0<\/p>\n
When the PhpSpreadsheet HTML reader processes these documents, the library inadvertently makes requests to the specified URLs, potentially exposing sensitive internal services.<\/p>\n
Proof-of-concept code demonstrates the attack vector:<\/p>\n
\n
\"PhpSpreadsheet<\/figure>\n<\/div>\n
The malicious HTML file contains:<\/p>\n
\n
\"PhpSpreadsheet<\/figure>\n<\/div>\n
\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\n\u2013 Versions < 1.30.0- 2.0.0\u20132.1.11- 2.2.0\u20132.3.x- 3.0.0\u20133.9.x- 4.x < 5.0.0<\/td>\n<\/tr>\n
Impact<\/td>\nHigh confidentiality impact via SSRF<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\nUntrusted HTML input passed to the HTML reader<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n7.5 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Affected Versions and Security Patches<\/strong><\/h2>\n
The vulnerability impacts multiple version ranges across the PhpSpreadsheet ecosystem:<\/p>\n