PhpOffice PhpSpreadsheet
Moderate fix5 remedies
cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*, +1 more
Moderate fix5 remedies
- < 1.30.0
- >= 2.0.0, < 2.1.12
- >= 2.2.0, < 2.4.0
- >= 3.0.0, < 3.10.0
- >= 4.0.0, < 5.0.0
PhpOffice PhpSpreadsheet Server-Side Request Forgery Vulnerability in the Drawing Component
Vulnerability
Patched
A server-side request forgery (SSRF) vulnerability has been identified in the PhpOffice PhpSpreadsheet library, specifically in versions prior to 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0. The issue arises in the 'setPath' method of the 'PhpOffice\PhpSpreadsheet\Worksheet\Drawing' class, where user-supplied strings are improperly handled. This vulnerability allows crafted HTML documents to be processed and displayed in a way that could exploit internal resources.
Impact
Exploitation of this vulnerability allows for server-side request forgery, where an attacker can manipulate the server to make requests on their behalf, potentially accessing internal services or resources.
Reproduction
To reproduce this vulnerability, load a crafted HTML file containing an 'img' tag with a 'src' attribute pointing to a local server (e.g., 'http://127.0.0.1:1337'). Use the PhpSpreadsheet library to read the HTML file with the 'Html' reader. The 'setAllowExternalImages' option must be set to true, which is the default in versions prior to the patch.
Remediation
Users can update to PhpSpreadsheet versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, or 5.0.0 to address this vulnerability.
Added: Aug 25, 2025, 2:32 PM
Updated: Aug 25, 2025, 2:32 PM
Vulnerability Rating
Custom Algorithm
spread
5.4impact
1.0exploitability
6.0remediation
7.7relevance
0.4threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.