PhpSpreadsheet Stream Wrapper Vulnerability Leading to Deserialization and Remote Code Execution

A vulnerability exists in PhpSpreadsheet versions 1.30.2 and earlier, as well as 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0. When the filename argument in IOFactory::load() is user-controlled, an attacker can provide a PHP stream wrapper path (such as phar://, ftp://, or ssh2.sftp://) that bypasses the is_file() check in File::assertFile(). The phar:// wrapper can trigger deserialization of PHAR metadata, potentially leading to remote code execution if a suitable gadget chain is available. The ftp:// and ssh2.sftp:// wrappers could be exploited for server-side request forgery.

Impact

Exploitation of this vulnerability allows for deserialization of PHAR metadata when using the phar:// stream wrapper, which can lead to remote code execution if a compatible gadget chain is available in the application. Additionally, the ftp:// and ssh2.sftp:// stream wrappers can be used to perform server-side request forgery attacks.

Reproduction

The vulnerability can be reproduced by creating a malicious PHAR file that exploits the deserialization process when loaded with the PhpSpreadsheet library. This can be done by setting the phar.readonly directive to 0, creating a PHAR file with a gadget class that executes a command upon destruction, and then renaming the file to an Excel format. Once the malicious file is created, it can be uploaded or referenced in a way that PhpSpreadsheet's IOFactory::load() function processes it, triggering the vulnerability.

Remediation

Users are advised to update PhpSpreadsheet to version 5.6.0, 3.10.4, 2.4.4, 2.1.15, or 1.30.3.