Plataforma
php
Componente
phpoffice/phpspreadsheet
Corregido en
1.30.1
2.0.1
2.2.1
3.0.1
4.0.1
1.30.0
CVE-2025-54370 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in phpoffice/phpspreadsheet. This flaw allows attackers to manipulate the application into making requests to arbitrary internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability affects versions of PhpSpreadsheet up to and including 1.9.0, and a fix is available in version 1.30.0.
The SSRF vulnerability in PhpSpreadsheet arises from improper handling of user-supplied input within the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, specifically the setPath method. An attacker can craft malicious input that, when processed by the application, results in a request being sent to an attacker-controlled server or an internal resource. This could allow an attacker to read sensitive files, interact with internal APIs, or even perform actions on behalf of the application. The potential impact includes unauthorized access to internal systems, data exfiltration, and potentially, denial of service if the attacker can trigger resource-intensive requests.
CVE-2025-54370 was published on 2025-08-25. The vulnerability's SSRF nature shares similarities with other SSRF vulnerabilities, which are often exploited to gain access to internal services. There is currently no public proof-of-concept available, but the ease of SSRF exploitation suggests a potential for rapid exploitation if a PoC is released. The EPSS score is pending evaluation, but the HIGH CVSS score indicates a significant risk.
Applications utilizing PhpSpreadsheet versions prior to 1.30.0 are at risk, particularly those that allow user-supplied data to influence the setPath parameter without proper sanitization. Shared hosting environments where multiple applications share the same PhpSpreadsheet installation are also at increased risk, as a vulnerability in one application could potentially be exploited to compromise others.
• php: Examine application logs for unusual outbound requests originating from the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class. Use grep to search for patterns related to URL manipulation or requests to unexpected domains.
grep 'PhpOffice\\PhpSpreadsheet\\Worksheet\\Drawing' /path/to/application/logs/access.log | grep -i 'http:'• php: Monitor PHP error logs for warnings or errors related to URL parsing or network connections.
journalctl -u php-fpm -f | grep -i 'URL parsing error'• generic web: Use curl to probe for potential SSRF endpoints. Attempt to access internal resources or external domains through the vulnerable setPath parameter.
curl 'http://localhost/path/to/phpspreadsheet?path=http://internal.example.com/sensitive_data' -sdisclosure
Estado del Exploit
EPSS
0.10% (29% percentil)
CISA SSVC
The primary mitigation for CVE-2025-54370 is to upgrade to PhpSpreadsheet version 1.30.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation on the setPath method to prevent the inclusion of malicious URLs. Additionally, configure a Web Application Firewall (WAF) to block requests to known malicious domains or patterns. Carefully review and restrict network access for the PhpSpreadsheet application to minimize the potential blast radius of a successful SSRF attack. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and verifying that the request is blocked or handled safely.
Actualice la biblioteca PhpSpreadsheet a la versión 1.30.0 o superior. Esto solucionará la vulnerabilidad SSRF al leer y mostrar documentos HTML procesados en el navegador. Asegúrese de actualizar a la última versión estable para obtener las últimas correcciones de seguridad.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-54370 is a HIGH severity Server-Side Request Forgery (SSRF) vulnerability in PhpSpreadsheet versions up to 1.9.0, allowing attackers to make requests to internal or external resources.
If you are using PhpSpreadsheet versions 1.9.0 or earlier, you are potentially affected by this SSRF vulnerability. Upgrade to 1.30.0 or later to mitigate the risk.
The recommended fix is to upgrade to PhpSpreadsheet version 1.30.0 or later. As a temporary workaround, implement strict input validation on the setPath method.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for rapid exploitation if a proof-of-concept is released.
Refer to the official phpoffice/phpspreadsheet security advisory for detailed information and updates regarding CVE-2025-54370.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.