CVE-2025-54370

Summary

PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.

Affected Software

VendorProductVersion RangeStatus
PHPOfficePhpSpreadsheet< 1.30.0affected
PHPOfficePhpSpreadsheet>= 2.0.0, < 2.1.12affected
PHPOfficePhpSpreadsheet>= 2.2.0, < 2.4.0affected
PHPOfficePhpSpreadsheet>= 3.0.0, < 3.10.0affected
PHPOfficePhpSpreadsheet>= 4.0.0, < 5.0.0affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery (SSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References