A high-severity Server-Aspect Request Forgery (SSRF) vulnerability has been recognized within the broadly used PhpSpreadsheet library, probably permitting attackers to use inner community sources and compromise server safety.
The vulnerability, tracked as CVE-2025-54370, impacts a number of variations of the phpoffice/phpspreadsheet bundle and carries a CVSS v4.0 rating of 8.7.
Key Takeaways1. SSRF in PhpSpreadsheet’s WorksheetDrawing::setPath through malicious HTML picture tags.2. Impacts 3. Replace instantly and validate inputs.
Excessive-Severity SSRF Vulnerability
The vulnerability resides within the setPath technique of the PhpOfficePhpSpreadsheetWorksheetDrawing class, the place malicious HTML enter can set off unauthorized server-side requests.
Safety researcher Aleksey Solovev from Optimistic Applied sciences found this zero-day flaw whereas analyzing model 3.8.0 of the library.
The exploitation happens when attackers craft malicious HTML paperwork containing picture tags with src attributes pointing to inner community sources.
When the PhpSpreadsheet HTML reader processes these paperwork, the library inadvertently makes requests to the desired URLs, probably exposing delicate inner providers.
Proof-of-concept code demonstrates the assault vector:
The malicious HTML file incorporates:
Danger FactorsDetailsAffected Merchandise– Variations ImpactHigh confidentiality influence through SSRFExploit PrerequisitesUntrusted HTML enter handed to the HTML readerCVSS 3.1 Score7.5 (Excessive)
Affected Variations and Safety Patches
The vulnerability impacts a number of model ranges throughout the PhpSpreadsheet ecosystem:
Legacy variations: All variations previous to 1.30.0
Model 2.x sequence: 2.0.0 by means of 2.1.11 and a couple of.2.0 by means of 2.3.x
Model 3.x sequence: 3.0.0 by means of 3.9.x
Model 4.x sequence: All 4.x variations prior to five.0.0
Patched variations embody 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0. Organizations utilizing affected variations ought to prioritize speedy updates to stop potential exploitation.
The vulnerability classification follows CWE-918: Server-Aspect Request Forgery, with assault vectors requiring no authentication or consumer interplay (AV:N/AC:L/PR:N/UI:N).
This allows distant attackers to use the flaw by means of network-accessible functions processing user-supplied HTML content material.
Extra safety considerations embody potential phar deserialization assaults by means of the file_exists technique of the weak code, creating a number of assault surfaces inside the identical element.
Organizations using PhpSpreadsheet for HTML doc processing ought to implement enter validation and community segmentation as further protecting measures whereas deploying the safety updates.
Discover this Story Fascinating! Comply with us on LinkedIn and X to Get Extra Immediate Updates.
