Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2025-54370
Good to know:
Date: August 25, 2025
PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.
Severity Score
Related Resources (10)
Severity Score
Weakness Type (CWE)
Server-Side Request Forgery (SSRF)
CWE-918Top Fix
Upgrade Version
Upgrade to version https://github.com/PHPOffice/PhpSpreadsheet.git - 2.4.0;https://github.com/PHPOffice/PhpSpreadsheet.git - 5.0.0;https://github.com/PHPOffice/PhpSpreadsheet.git - 3.10.0;https://github.com/PHPOffice/PhpSpreadsheet.git - 2.1.12;https://github.com/PHPOffice/PhpSpreadsheet.git - 1.30.0
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | NONE |
| Availability (A): | NONE |