Platform
php
Component
phpoffice/phpspreadsheet
Fixed in
1.30.1
2.0.1
2.2.1
3.0.1
4.0.1
1.30.0
CVE-2025-54370 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in phpoffice/phpspreadsheet. This flaw allows attackers to manipulate the application into making requests to arbitrary internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability affects versions of PhpSpreadsheet up to and including 1.9.0, and a fix is available in version 1.30.0.
The SSRF vulnerability in PhpSpreadsheet arises from improper handling of user-supplied input within the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, specifically the setPath method. An attacker can craft malicious input that, when processed by the application, results in a request being sent to an attacker-controlled server or an internal resource. This could allow an attacker to read sensitive files, interact with internal APIs, or even perform actions on behalf of the application. The potential impact includes unauthorized access to internal systems, data exfiltration, and potentially, denial of service if the attacker can trigger resource-intensive requests.
CVE-2025-54370 was published on 2025-08-25. The vulnerability's SSRF nature shares similarities with other SSRF vulnerabilities, which are often exploited to gain access to internal services. There is currently no public proof-of-concept available, but the ease of SSRF exploitation suggests a potential for rapid exploitation if a PoC is released. The EPSS score is pending evaluation, but the HIGH CVSS score indicates a significant risk.
Exploit Status
EPSS
0.10% (29% percentile)
CISA SSVC
The primary mitigation for CVE-2025-54370 is to upgrade to PhpSpreadsheet version 1.30.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation on the setPath method to prevent the inclusion of malicious URLs. Additionally, configure a Web Application Firewall (WAF) to block requests to known malicious domains or patterns. Carefully review and restrict network access for the PhpSpreadsheet application to minimize the potential blast radius of a successful SSRF attack. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled safely.
Update the PhpSpreadsheet library to version 1.30.0 or higher. This will resolve the SSRF vulnerability when reading and displaying processed HTML documents in the browser. Ensure you update to the latest stable version for the latest security fixes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-54370 is a HIGH severity Server-Side Request Forgery (SSRF) vulnerability in PhpSpreadsheet versions up to 1.9.0, allowing attackers to make requests to internal or external resources.
If you are using PhpSpreadsheet versions 1.9.0 or earlier, you are potentially affected by this SSRF vulnerability. Upgrade to 1.30.0 or later to mitigate the risk.
The recommended fix is to upgrade to PhpSpreadsheet version 1.30.0 or later. As a temporary workaround, implement strict input validation on the setPath method.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for rapid exploitation if a proof-of-concept is released.
Refer to the official phpoffice/phpspreadsheet security advisory for detailed information and updates regarding CVE-2025-54370.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.