CVE-2025-23210: PHPSpreadsheet XSS Sanitizer Bypass Flaw

CVE-2025-23210 Overview

CVE-2025-23210 is a Cross-Site Scripting (XSS) sanitizer bypass vulnerability in phpoffice/phpspreadsheet, a pure PHP library for reading and writing spreadsheet files. Attackers can bypass the XSS sanitizer by exploiting the javascript protocol combined with special characters, potentially allowing malicious script execution when users interact with crafted spreadsheet files.

Critical Impact

Successful exploitation allows attackers to inject malicious JavaScript code that bypasses existing XSS protections, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of legitimate users.

Affected Products

• PHPOffice PhpSpreadsheet versions prior to 1.29.9
• PHPOffice PhpSpreadsheet versions prior to 2.1.8
• PHPOffice PhpSpreadsheet versions prior to 2.3.7
• PHPOffice PhpSpreadsheet versions prior to 3.9.0

Discovery Timeline

• 2025-02-03 - CVE CVE-2025-23210 published to NVD
• 2025-02-03 - Last updated in NVD database

Technical Details for CVE-2025-23210

Vulnerability Analysis

This vulnerability stems from an incomplete XSS sanitization implementation in PHPOffice PhpSpreadsheet. The library's URL validation and hyperlink processing logic failed to properly handle certain special characters (specifically control characters in the \\x00-\\x1f range) when combined with the javascript: protocol scheme. This weakness allowed attackers to craft malicious URLs that could evade the existing XSS filters while still being interpreted as executable JavaScript by web browsers when the spreadsheet content was rendered as HTML.

The vulnerability affects two key components: the Drawing.php file which handles linked drawing validation, and the Html.php writer which processes hyperlinks for HTML output. Both components shared similar pattern matching logic that could be bypassed using whitespace and control characters within the protocol scheme.

Root Cause

The root cause is an insufficient regular expression pattern used to validate URL protocol schemes. The original implementation used the pattern /^([\w\s]+):/u to extract and validate URL schemes, which only matched word characters and standard whitespace. This allowed attackers to insert control characters (ASCII 0x00-0x1F) within the protocol name, effectively creating a scheme like java[control-char]script: that bypassed the blocklist check but was still interpreted as javascript: by browsers after HTML entity decoding.

Attack Vector

The attack is network-accessible and requires user interaction. An attacker would craft a malicious spreadsheet file containing hyperlinks with obfuscated javascript: URLs using control characters. When a victim opens this file using an application that processes it with PhpSpreadsheet and renders the output as HTML, the malicious JavaScript executes in the victim's browser context. The attack requires the attacker to have some level of access to create or modify spreadsheet content that will be processed by the target system.

The following patches address the vulnerability by extending the regex pattern to also match control characters:

Patch for Drawing.php:

 
         $this->path = '';
         // Check if a URL has been passed. https://stackoverflow.com/a/2058596/1252979
-        if (filter_var($path, FILTER_VALIDATE_URL)) {
+        if (filter_var($path, FILTER_VALIDATE_URL) || (preg_match('/^([\\w\\s\\\x00-\\\x1f]+):/u', $path) && !preg_match('/^([\\w]+):/u', $path))) {
             if (!preg_match('/^(http|https|file|ftp|s3):/', $path)) {
                 throw new PhpSpreadsheetException('Invalid protocol for linked drawing');
             }

Source: GitHub Commit

Patch for Html.php:

                 $url = $worksheet->getHyperlink($coordinate)->getUrl();
                 $urlDecode1 = html_entity_decode($url, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
                 $urlTrim = Preg::replace('/^\\s+/u', '', $urlDecode1);
-                $parseScheme = Preg::isMatch('/^([\\w\\s]+):/u', strtolower($urlTrim), $matches);
+                $parseScheme = Preg::isMatch('/^([\\w\\s\\\x00-\\\x1f]+):/u', strtolower($urlTrim), $matches);
                 if ($parseScheme && !in_array($matches[1], ['http', 'https', 'file', 'ftp', 'mailto', 's3'], true)) {
                     $cellData = htmlspecialchars($url, Settings::htmlEntityFlags());
+                    $cellData = self::replaceControlChars($cellData);
                 } else {
                     $tooltip = $worksheet->getHyperlink($coordinate)->getTooltip();
                     $tooltipOut = empty($tooltip) ? '' : (' title="' . htmlspecialchars($tooltip) . '"');

Source: GitHub Commit

Detection Methods for CVE-2025-23210

Indicators of Compromise

• Spreadsheet files containing hyperlinks with unusual character sequences or control characters in URL schemes
• HTTP requests containing encoded control characters (e.g., %00-%1f) adjacent to protocol schemes like javascript
• Server logs showing processing of spreadsheet files followed by suspicious client-side script execution attempts
• Unusual JavaScript execution patterns in web applications that render PhpSpreadsheet-generated HTML

Detection Strategies

• Implement Web Application Firewall (WAF) rules to detect URLs containing control characters combined with javascript: protocol patterns
• Monitor application logs for errors or warnings from PhpSpreadsheet related to URL validation failures
• Use Content Security Policy (CSP) headers to restrict inline script execution and report violations
• Deploy endpoint detection to identify exploitation attempts targeting spreadsheet processing functionality

Monitoring Recommendations

• Enable verbose logging for PhpSpreadsheet operations in production environments
• Set up alerts for CSP violation reports indicating inline JavaScript execution attempts
• Monitor file upload endpoints for suspicious spreadsheet files with obfuscated hyperlinks
• Track PhpSpreadsheet library versions across your environment to ensure compliance with patched versions

How to Mitigate CVE-2025-23210

Immediate Actions Required

• Upgrade PHPOffice PhpSpreadsheet to version 1.29.9, 2.1.8, 2.3.7, or 3.9.0 or later immediately
• Audit any spreadsheet files from untrusted sources that may have been processed prior to patching
• Implement Content Security Policy headers to mitigate potential XSS impact
• Review and restrict which users can upload or create spreadsheet content processed by your application

Patch Information

The PHPOffice team has released security patches in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. The fix modifies the URL scheme validation regex to include control characters (\\x00-\\x1f) in the pattern matching, preventing bypass attempts. Additionally, the HTML writer now explicitly replaces control characters in cell data to neutralize malicious payloads. Users should update their composer.json dependency to require the patched version.

For more details, see the GitHub Security Advisory.

Workarounds

• No official workarounds are available for this vulnerability
• Users are strongly advised to upgrade to a patched version as the only remediation option
• As a defense-in-depth measure, implement strict Content Security Policy headers to limit JavaScript execution
• Consider input validation on any spreadsheet content before processing with PhpSpreadsheet

# Update PhpSpreadsheet via Composer
composer require phpoffice/phpspreadsheet:^3.9.0
# Or for older major versions:
# composer require phpoffice/phpspreadsheet:^2.3.7
# composer require phpoffice/phpspreadsheet:^2.1.8
# composer require phpoffice/phpspreadsheet:^1.29.9