CVE-2025-54370 Overview
CVE-2025-54370 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in PhpOffice/PhpSpreadsheet, a widely deployed PHP library for reading and writing spreadsheet files. The flaw resides in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class. An attacker can supply a crafted path string that is passed unvalidated to the HTML reader. When the processed HTML document is rendered in a browser, the server retrieves attacker-controlled URLs, exposing internal services and metadata endpoints.
Critical Impact
Unauthenticated attackers can coerce vulnerable PHP applications into issuing arbitrary outbound requests, enabling reconnaissance of internal networks and theft of cloud metadata credentials.
Affected Products
- PhpOffice/PhpSpreadsheet versions prior to 1.30.0
- PhpOffice/PhpSpreadsheet versions prior to 2.1.12, 2.4.0, and 3.10.0
- PhpOffice/PhpSpreadsheet versions prior to 5.0.0
Discovery Timeline
- 2025-08-25 - CVE-2025-54370 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-54370
Vulnerability Analysis
The vulnerability is classified as Server-Side Request Forgery under [CWE-918]. PhpSpreadsheet allows developers to embed drawings into worksheets through the Drawing class. The setPath method accepts a file path or URL identifying the image to embed. When the HTML reader processes a document containing such a drawing, it dereferences the supplied path without enforcing scheme or host restrictions.
An attacker who can influence spreadsheet content, or supply a crafted HTML document to an application using PhpSpreadsheet, can point setPath at internal endpoints. Targets include cloud instance metadata services such as http://169.254.169.254/, internal admin panels, and other non-routable services reachable from the PHP host.
The EPSS score is 0.134% (32.7 percentile), indicating no observed in-the-wild exploitation activity at this time.
Root Cause
The root cause is missing input validation in the setPath method of PhpOffice\PhpSpreadsheet\Worksheet\Drawing. The method accepts arbitrary strings and forwards them to the HTML reader, which performs an HTTP fetch against the supplied URL. No allowlist of permitted schemes, hostnames, or IP ranges is applied before the outbound request is initiated.
Attack Vector
Exploitation requires no authentication and no user interaction beyond viewing the rendered output. An attacker uploads or submits a spreadsheet whose drawing path references an internal URL. When the application reads the file and emits the HTML representation, the server performs an HTTP GET against the attacker-supplied target. Response data may be reflected in rendered output, leaking internal service banners, cloud metadata, or session tokens.
No verified exploit code is publicly available. See the GitHub Security Advisory GHSA-rx7m-68vc-ppxh for vendor technical details.
Detection Methods for CVE-2025-54370
Indicators of Compromise
- Outbound HTTP requests from PHP worker processes to RFC1918 addresses, link-local ranges (169.254.0.0/16), or loopback interfaces.
- Web server access logs showing spreadsheet uploads followed by anomalous egress connections to cloud metadata endpoints.
- HTTP responses containing instance metadata fields such as iam, security-credentials, or meta-data reflected back in application output.
Detection Strategies
- Inspect uploaded spreadsheet files for Drawing elements whose path attribute begins with http://, https://, file://, or gopher:// schemes.
- Deploy egress filtering rules and alert when PHP-FPM or Apache worker processes initiate connections to internal-only IP ranges.
- Audit application logs for calls to Drawing::setPath accepting user-controlled input without prior URL validation.
Monitoring Recommendations
- Forward web application and network egress telemetry into a centralized analytics platform for correlation across upload events and outbound requests.
- Establish baselines for legitimate outbound HTTP behavior from application servers and alert on deviations.
- Monitor cloud audit logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) for unexpected use of instance role credentials originating from web tiers.
How to Mitigate CVE-2025-54370
Immediate Actions Required
- Upgrade PhpSpreadsheet to a fixed release: 1.30.0, 2.1.12, 2.4.0, 3.10.0, or 5.0.0 depending on the major version branch in use.
- Inventory all applications and dependencies (including transitive ones) that bundle PhpSpreadsheet via Composer.
- Restrict outbound network access from PHP application servers to only the destinations they require.
Patch Information
The maintainers released fixes across five maintained branches. Patch commits include 334a6779, 4050f145, 81a0de22, ac4befd2, and c2cd0e64. Refer to the GitHub Security Advisory for branch mapping.
Workarounds
- Validate and sanitize any user-supplied input before passing it to Drawing::setPath, rejecting non-local schemes and disallowed hostnames.
- Block PHP outbound traffic to link-local addresses such as 169.254.169.254 at the host or network firewall.
- Disable HTML rendering of user-submitted spreadsheets where the feature is not required.
# Composer upgrade example - select the release matching your major version
composer require phpoffice/phpspreadsheet:^5.0.0
# or for the 3.x branch
composer require phpoffice/phpspreadsheet:^3.10.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
