CVE-2025-23210

Summary

phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Software

VendorProductVersion RangeStatus
PHPOfficePhpSpreadsheet>= 3.0.0, < 3.9.0affected
PHPOfficePhpSpreadsheet>= 2.2.0, < 2.3.7affected
PHPOfficePhpSpreadsheet>= 2.0.0, < 2.1.8affected
PHPOfficePhpSpreadsheet< 1.29.9affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References