CVE-2025-54370 in PhpSpreadsheet
Summary
by MITRE • 08/25/2025
PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/16/2025
The vulnerability identified as CVE-2025-54370 affects the PhpOffice/PhpSpreadsheet library, a widely used pure PHP library for handling spreadsheet files across numerous web applications and platforms. This library serves as a critical component in applications that require spreadsheet processing capabilities, making it a prime target for security researchers and malicious actors. The vulnerability specifically manifests in versions prior to 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, indicating a long-standing issue that has affected multiple major releases of the library. The flaw resides within the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, which processes user-provided input during HTML document handling operations. This vulnerability represents a significant security risk as it allows for Server-Side Request Forgery attacks, where malicious actors can manipulate the library to make unauthorized requests to internal or external systems. The technical implementation of this flaw occurs when a crafted string from user input is passed directly to an HTML reader without proper sanitization or validation, creating an attack surface that can be exploited by adversaries.
The operational impact of CVE-2025-54370 extends beyond simple data exposure, as it enables attackers to potentially access internal network resources that should remain protected from external access. When a user uploads or processes a malicious HTML document through the affected library, the vulnerable setPath method can be manipulated to initiate requests to internal IP addresses or services that are typically not exposed to the internet. This capability allows for reconnaissance activities, potential data exfiltration, and further exploitation of internal systems. The vulnerability aligns with CWE-918, which specifically addresses Server-Side Request Forgery, and can be mapped to ATT&CK technique T1190, known as "Exploit Public-Facing Application," as it leverages the library's HTML processing capabilities to attack the underlying system. The attack vector typically involves crafting malicious HTML content that, when processed by the vulnerable library, triggers unintended network requests to target systems. This issue particularly affects web applications that utilize PhpSpreadsheet for processing user-uploaded files, making it a critical concern for content management systems, document processing platforms, and any application that handles spreadsheet data from untrusted sources.
Mitigation strategies for CVE-2025-54370 center around immediate version upgrades to the patched releases, which include 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, as these versions contain the necessary code modifications to prevent the vulnerable code path from executing. Organizations should prioritize updating their PhpSpreadsheet dependencies to ensure protection against this SSRF vulnerability, particularly in environments where user-uploaded content is processed. Additional defensive measures include implementing input validation and sanitization for all user-provided data that may be processed through the library, especially when handling HTML content or file paths. Network-level protections such as firewall rules and proxy configurations can help limit outbound connections from applications using the library, reducing the potential impact of successful exploitation attempts. Security monitoring should be enhanced to detect unusual network requests originating from applications that use PhpSpreadsheet, particularly those targeting internal network resources. Organizations should also conduct thorough security assessments of their applications to identify any other potential attack surfaces that may be vulnerable to similar issues, as this vulnerability demonstrates the importance of proper input handling in library components that process external data. The fix implemented in the patched versions addresses the root cause by ensuring that user-provided paths are properly validated and sanitized before being passed to HTML readers, thereby preventing the exploitation of the SSRF vulnerability.