Platform
php
Component
phpoffice/phpspreadsheet
Fixed in
1.29.3
2.0.1
2.2.1
2.3.0
CVE-2024-45290 describes a Path Traversal vulnerability discovered in phpoffice/phpspreadsheet. This flaw allows attackers to potentially leak sensitive information by crafting malicious XLSX files that exploit how PhpSpreadsheet handles external URLs within images. The vulnerability impacts versions of PhpSpreadsheet up to and including 2.2.2, and a fix is available in version 2.3.0.
An attacker can leverage this vulnerability to read arbitrary files on the server hosting the PhpSpreadsheet application. By crafting a malicious XLSX file containing a specially crafted URL using the php://filter protocol, the attacker can trick PhpSpreadsheet into retrieving and potentially exposing the contents of any file accessible to the web server. This could include sensitive configuration files, database credentials, or even source code. The blast radius extends to any system processing these malicious XLSX files, potentially leading to widespread data breaches and system compromise. This differs from a previously disclosed vulnerability (GHSA-w9xv-qf98-ccq4) and resides in a different component.
This vulnerability was publicly disclosed on 2024-10-07. No known public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on CISA KEV. The CVSS score of 7.7 indicates a High severity rating, suggesting a reasonable likelihood of exploitation if left unaddressed.
Exploit Status
EPSS
0.30% (54% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to PhpSpreadsheet version 2.3.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict the ability of PhpSpreadsheet to access external URLs by configuring your web server to block requests to php://filter. Implement strict input validation on all XLSX files processed by PhpSpreadsheet, rejecting files with suspicious URL patterns. Monitor web server access logs for requests containing php://filter and unusual file paths.
Update the PhpSpreadsheet library to version 1.29.2, 2.1.1, or 2.3.0, or a later version. This will fix the path traversal and Server-Side Request Forgery vulnerability when opening XLSX files. You can update the library using Composer by running `composer update phpoffice/phpspreadsheet`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-45290 is a Path Traversal vulnerability in PhpSpreadsheet versions up to 2.2.2, allowing attackers to potentially leak file contents via malicious XLSX files.
You are affected if you are using PhpSpreadsheet versions 2.2.2 or earlier. Upgrade to 2.3.0 or later to mitigate the risk.
Upgrade to PhpSpreadsheet version 2.3.0 or later. As a temporary workaround, restrict access to php://filter URLs or implement strict input validation.
No active exploitation has been reported at this time, but the High severity rating indicates a potential risk.
Refer to the official advisory on the PhpSpreadsheet GitHub repository: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.