SSRF in Phpoffice Phpspreadsheet
CVE-2025-54370
PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The v…
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.001 (33.4th percentile) — read the EPSS interpretation.
Affected products
- Phpoffice Phpspreadsheet — versions < 1.30.0, >= 2.0.0, < 2.1.12, >= 2.2.0, < 2.4.0
Weakness classification (CWE)
References
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-rx7m-68vc-ppxh (x_refsource_CONFIRM)
- https://github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471a (x_refsource_MISC)
- https://github.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39 (x_refsource_MISC)
- https://github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31 (x_refsource_MISC)
- https://github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09 (x_refsource_MISC)
- https://github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266 (x_refsource_MISC)