AIKIDO-2025-10549
phpoffice/phpspreadsheet is vulnerable to Server-Side Request Forgery (SSRF)
75
High Risk
This Affects:
phpoffice/phpspreadsheetTL;DR
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via Unrestricted External Image Loading, where the default configuration allowed automatic fetching of external images without explicit user consent. Attackers can exploit this by embedding malicious image URLs in documents, forcing the application to send unauthorized HTTP/HTTPS requests to attacker-controlled domains when processed.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
phpoffice/phpspreadsheet is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.0.0 - 1.29.12, 2.0.0 - 2.1.11, 2.2.0 - 2.3.10, 3.0.0 - 3.9.3 and 4.0.0 - 4.5.0.
How to fix this
Upgrade the phpoffice/phpspreadsheet library to the patch version or if you set $allowExternalImages to false.
Links
GitHub Release
Fix Commits
github.com/PHPOffice/PhpSpreadsheet/commit/334a67797ace574d1d37c0992ffe283b7415471agithub.com/PHPOffice/PhpSpreadsheet/commit/4050f14521d70634c3320b170236574a6106eb39github.com/PHPOffice/PhpSpreadsheet/commit/81a0de2261f698404587a6421a5c6eb263c40b31github.com/PHPOffice/PhpSpreadsheet/commit/ac4befd2f7ccc21a59daef606a02a3d1828ade09github.com/PHPOffice/PhpSpreadsheet/commit/c2cd0e64392438e4c6af082796eb65c1d629a266
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant