A significant Server-Side Request Forgery (SSRF) vulnerability has been identified in the widely utilized PhpSpreadsheet library, potentially allowing attackers to exploit internal network resources and compromise server security. This vulnerability, designated as CVE-2025-54370, affects multiple versions of the phpoffice/phpspreadsheet package and has been assigned a CVSS v4.0 score of 8.7, indicating its high severity.
Understanding the SSRF Vulnerability
The core of this vulnerability lies within the `setPath` method of the `PhpOffice\PhpSpreadsheet\Worksheet\Drawing` class. Malicious HTML input can trigger unauthorized server-side requests through this method. Security researcher Aleksey Solovev from Positive Technologies discovered this zero-day flaw while analyzing version 3.8.0 of the library.
Mechanism of Exploitation
Attackers can craft malicious HTML documents containing image tags with `src` attributes pointing to internal network resources. When the PhpSpreadsheet HTML reader processes these documents, the library inadvertently makes requests to the specified URLs, potentially exposing sensitive internal services.
Proof-of-Concept Demonstration
A proof-of-concept code demonstrates the attack vector:
“`html
“`
In this example, the image tag’s `src` attribute points to an internal service. When processed by the vulnerable PhpSpreadsheet library, it may result in unauthorized requests to internal resources.
Risk Factors and Impact
The vulnerability affects the following versions of PhpSpreadsheet:
– Versions prior to 1.30.0
– Versions 2.0.0 through 2.1.11
– Versions 2.2.0 through 2.3.x
– Versions 3.0.0 through 3.9.x
– Versions 4.x prior to 5.0.0
The impact of this vulnerability is significant, with a high confidentiality impact via SSRF. Exploitation prerequisites include untrusted HTML input being passed to the HTML reader. The CVSS 3.1 score for this vulnerability is 7.5, categorizing it as high severity.
Affected Versions and Security Patches
The vulnerability impacts multiple version ranges across the PhpSpreadsheet ecosystem:
– Legacy versions: All versions prior to 1.30.0
– Version 2.x series: 2.0.0 through 2.1.11 and 2.2.0 through 2.3.x
– Version 3.x series: 3.0.0 through 3.9.x
– Version 4.x series: All 4.x versions prior to 5.0.0
Patched versions include 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0. Organizations using affected versions should prioritize immediate updates to prevent potential exploitation.
Vulnerability Classification and Attack Vectors
The vulnerability is classified under CWE-918: Server-Side Request Forgery. Attack vectors require no authentication or user interaction (AV:N/AC:L/PR:N/UI:N), enabling remote attackers to exploit the flaw through network-accessible applications processing user-supplied HTML content.
Additional Security Concerns
Additional security concerns include potential phar deserialization attacks through the `file_exists` method of the vulnerable code, creating multiple attack surfaces within the same component. Organizations utilizing PhpSpreadsheet for HTML document processing should implement input validation and network segmentation as additional protective measures while deploying the security updates.
Recommendations for Mitigation
To mitigate the risks associated with this vulnerability, organizations should:
1. Update PhpSpreadsheet: Ensure that the library is updated to one of the patched versions: 1.30.0, 2.1.12, 2.4.0, 3.10.0, or 5.0.0.
2. Validate Inputs: Implement strict input validation to prevent malicious HTML content from being processed by the application.
3. Network Segmentation: Segment internal networks to limit the potential impact of SSRF attacks, reducing the exposure of sensitive internal services.
4. Monitor and Audit: Regularly monitor and audit server logs for unusual or unauthorized requests that may indicate exploitation attempts.
Conclusion
The discovery of CVE-2025-54370 in the PhpSpreadsheet library underscores the critical importance of maintaining up-to-date software and implementing robust security measures. By promptly updating affected versions and adopting comprehensive security practices, organizations can safeguard their systems against potential SSRF attacks and protect sensitive internal resources.
