PhpSpreadsheet Library Vulnerability Enables Attackers to Feed Malicious HTML Input

A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the widely used PhpSpreadsheet library, potentially allowing attackers to exploit internal network resources and compromise server security. 

The vulnerability, tracked as CVE-2025-54370, affects multiple versions of the phpoffice/phpspreadsheet package and carries a CVSS v4.0 score of 8.7.

Key Takeaways
1. SSRF in PhpSpreadsheet’s WorksheetDrawing::setPath via malicious HTML image tags.
2. Affects < 1.30.0, 2.0.0–2.1.11, 2.2.0–2.3.x, 3.0.0–3.9.x, 4.x < 5.0.0
3. Update immediately and validate inputs.

High-Severity SSRF Vulnerability

The vulnerability resides in the setPath method of the PhpOfficePhpSpreadsheetWorksheetDrawing class, where malicious HTML input can trigger unauthorized server-side requests. 

Security researcher Aleksey Solovev from Positive Technologies discovered this zero-day flaw while analyzing version 3.8.0 of the library.

The exploitation occurs when attackers craft malicious HTML documents containing image tags with src attributes pointing to internal network resources. 

When the PhpSpreadsheet HTML reader processes these documents, the library inadvertently makes requests to the specified URLs, potentially exposing sensitive internal services.

Proof-of-concept code demonstrates the attack vector:

The malicious HTML file contains:

Risk Factors	Details
Affected Products	– Versions < 1.30.0- 2.0.0–2.1.11- 2.2.0–2.3.x- 3.0.0–3.9.x- 4.x < 5.0.0
Impact	High confidentiality impact via SSRF
Exploit Prerequisites	Untrusted HTML input passed to the HTML reader
CVSS 3.1 Score	7.5 (High)

Affected Versions and Security Patches

The vulnerability impacts multiple version ranges across the PhpSpreadsheet ecosystem:

• Legacy versions: All versions prior to 1.30.0
• Version 2.x series: 2.0.0 through 2.1.11 and 2.2.0 through 2.3.x
• Version 3.x series: 3.0.0 through 3.9.x
• Version 4.x series: All 4.x versions prior to 5.0.0

Patched versions include 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0. Organizations using affected versions should prioritize immediate updates to prevent potential exploitation.

The vulnerability classification follows CWE-918: Server-Side Request Forgery, with attack vectors requiring no authentication or user interaction (AV:N/AC:L/PR:N/UI:N). 

This enables remote attackers to exploit the flaw through network-accessible applications processing user-supplied HTML content.

Additional security concerns include potential phar deserialization attacks through the file_exists method of the vulnerable code, creating multiple attack surfaces within the same component. 

Organizations utilizing PhpSpreadsheet for HTML document processing should implement input validation and network segmentation as additional protective measures while deploying the security updates.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post PhpSpreadsheet Library Vulnerability Enables Attackers to Feed Malicious HTML Input appeared first on Cyber Security News.