PhpSpreadsheet Library Vulnerability Lets Attackers Inject Malicious HTML Input
A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in the popular PhpSpreadsheet library, allowing attackers to inject malicious HTML input when processing spreadsheet documents.
The vulnerability, assigned CVE-2025-54370, affects multiple versions of the phpoffice/phpspreadsheet package and carries a high severity rating with CVSS v3.1 score of 7.5 and CVSS v4.0 score of 8.7.
Vulnerability Details
The security flaw was discovered by Aleksey Solovev from Positive Technologies and affects the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, specifically within the setPath method.
| CVE ID | CVE-2025-54370 |
| Description | Server-Side Request Forgery when reading and displaying a processed HTML document in the browser via the PhpOffice\PhpSpreadsheet\Worksheet\Drawing::setPath method |
| Package | phpoffice/phpspreadsheet (Composer) |
The vulnerability occurs when a processed HTML document is read and displayed in a browser, enabling Server-Side Request Forgery attacks.
The vulnerability is classified under CWE-918: Server-Side Request Forgery (SSRF) and allows attackers to exploit the library’s HTML processing capabilities.
When user-controlled strings are passed to the HTML reader, malicious actors can craft specially designed HTML content containing image tags with malicious src attributes pointing to internal network resources.
Multiple version ranges of the phpoffice/phpspreadsheet library are vulnerable to this attack:
The research specifically focused on version 3.8.0 of the library, demonstrating the vulnerability’s presence in recent releases.
The attack vector involves creating malicious HTML files containing image tags with internal network addresses.
When the PhpSpreadsheet library processes these files, it attempts to fetch resources from the specified URLs, potentially exposing internal network infrastructure.
The researcher demonstrated the vulnerability using a simple HTML file containing:
<table>
<tr>
<img src="http://127.0.0.1:1337">
</tr>
</table>When processed through the library’s HTML reader and subsequently rendered, this payload triggers requests to the specified internal address, confirming the SSRF vulnerability.
The vulnerability enables attackers to perform Server-Side Request Forgery attacks, potentially allowing them to:
- Access internal network resources
- Bypass network security controls
- Gather information about internal infrastructure
- Potentially escalate attacks against internal systems
Immediate mitigation requires upgrading to the patched versions listed above. Organizations should prioritize updating their PhpSpreadsheet installations, particularly those processing user-supplied HTML content or spreadsheet files containing HTML elements.
The vulnerability underscores the importance of input validation and secure processing of user-supplied content in spreadsheet libraries.
Development teams should implement additional security measures when processing external content and consider implementing allowlist-based URL filtering for image resources.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Post Comment