CVE-2025-54370
BaseFortify
Publication date: 2025-08-25
Last updated on: 2025-08-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpoffice | phpspreadsheet | 4.0 |
| phpoffice | phpspreadsheet | 3.8.0 |
| phpoffice | phpspreadsheet | 1.29.12 |
| phpoffice | phpspreadsheet | 4.5.0 |
| phpoffice | phpspreadsheet | 3.9.3 |
| phpoffice | phpspreadsheet | 2.1.11 |
| phpoffice | phpspreadsheet | 5.0.0 |
| phpoffice | phpspreadsheet | 2.3.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54370 is a Server-Side Request Forgery (SSRF) vulnerability in the PhpOffice PhpSpreadsheet library. It occurs in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class when processing HTML documents containing user-controlled input. An attacker can craft an HTML file with an image tag whose source points to internal or restricted URLs, causing the server to make unintended HTTP requests to those resources. Additionally, the vulnerability involves the library's default behavior of loading external images from URLs, which was previously enabled by default and could be exploited. The vulnerability has been mitigated by changing the default behavior to disable external image loading unless explicitly enabled by the user. [5, 1, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to make your server perform unauthorized HTTP requests to internal or protected network resources, potentially exposing sensitive information or internal services. Since the vulnerability involves automatic loading of external images from untrusted sources, it can be exploited to access internal URLs that should not be reachable externally. This can lead to confidentiality breaches without requiring any privileges or user interaction. The vulnerability has a high severity score (CVSS 8.7) due to its network attack vector and high confidentiality impact. [5, 1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your PhpSpreadsheet library version is prior to the patched versions (1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0) and if it allows loading external images by default without explicit opt-in. You can also monitor network traffic for unexpected HTTP requests originating from your application when processing spreadsheet files, especially requests to internal or restricted URLs triggered by image loading in HTML content. There are no specific commands provided in the resources, but you can inspect your PhpSpreadsheet usage for calls to the HTML reader and verify if the method `$reader->setAllowExternalImages(true)` is used or if external image loading is enabled by default. Additionally, reviewing logs for outbound HTTP requests during spreadsheet processing may help detect exploitation attempts. [1, 5]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade your PhpSpreadsheet library to one of the patched versions: 1.30.0, 2.1.12, 2.4.0, 3.10.0, or 5.0.0 or later. These versions disable external image loading by default, preventing SSRF attacks via the `setPath` method. If upgrading is not immediately possible, ensure that external image loading is explicitly disabled by not calling `$reader->setAllowExternalImages(true)` or by setting it to false if available. Avoid processing untrusted HTML content that may contain malicious image URLs. Additionally, review and improve validation of user-supplied input to the `setPath` method or related HTML processing to prevent SSRF exploitation. [1, 2, 3, 4, 5, 6]