A critical Server-Side Request Forgery (SSRF) vulnerability has been discovered in the popular PHP library PhpSpreadsheet, allowing attackers to inject arbitrary HTML content that triggers HTTP requests from the server.
Tracked as CVE-2025-54370 and published under GitHub Security Advisory GHSA-rx7m-68vc-ppxh, the vulnerability affects a broad range of versions and could expose internal services or sensitive data.
The root cause resides in the PhpOffice\PhpSpreadsheet\Worksheet\Drawing::setPath() method of the HTML reader.
When processing an HTML document, the reader passes the value of every <img src="…"> attribute directly into setPath() without adequate validation of the URL scheme or host. An attacker-supplied HTML file containing, for example:
xml<table>
<tr>
<img src="http://127.0.0.1:1337">
</tr>
</table>
will prompt the library to fetch the internal resource at 127.0.0.1:1337, enabling SSRF against intranet services or metadata endpoints.
The issue arises because the HTML reader treats every image path as a remote resource, using PHP’s HTTP wrappers and cURL internally, without sandboxing or blacklisting local addresses.
Affected Versions and Severity
The vulnerability carries a CVSS v3.1 base score of 7.5 (High) and CVSS v4.0 score of 8.7 (High). All PhpSpreadsheet releases prior to 1.30.0, and within the ranges:
- ≥ 2.0.0 and < 2.1.12
- ≥ 2.2.0 and < 2.4.0
- ≥ 3.0.0 and < 3.10.0
- ≥ 4.0.0 and < 5.0.0
are vulnerable. These include more than ten major releases spanning the library’s evolution, affecting both new and long-term users.
CVSS v4.0 Breakdown
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Vulnerable Component: High (Confidentiality impact)
- Integrity and Availability: None
This combination enables unauthenticated remote attackers to exploit SSRF simply by supplying a malicious HTML file to any service that utilizes PhpSpreadsheet’s HTML reader.
Mitigations
The PhpSpreadsheet maintainers have released patched versions addressing this vulnerability by sanitizing and restricting URL inputs in the setPath() method:
- 1.30.0
- 2.1.12
- 2.4.0
- 3.10.0
- 5.0.0
Upgrading to one of these releases will block inbound local and private network addresses and enforce stricter URL schemes. Users should:
- Update Immediately: Run
composer require phpoffice/phpspreadsheet:^5.0.0or target the minimum patched version compatible with your codebase. - Audit Input Sources: Ensure untrusted users cannot control HTML files fed into PhpSpreadsheet’s readers.
- Implement Network Controls: Apply egress filtering at the network level to prevent PHP processes from reaching sensitive internal endpoints.
Additionally, security teams should review applications for any instances where HTML input may be processed without further sanitization or output escaping.
Given the lack of authentication requirements, this vulnerability may be weaponized in automated attacks or combined with phishing lures to target internal services.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
 vulnerability has been discovered in the popular PHP library PhpSpreadsheet.){kind=link}