Cross-site Scripting Vulnerability in PHPOffice PhpSpreadsheet Library
CVE-2025-23210

4.8MEDIUM

Key Information:

Vendor: PHPoffice
Status: PHPspreadsheet
Vendor: CVE Published:; 3 February 2025

What is CVE-2025-23210?

The PHPOffice PhpSpreadsheet library, widely used for reading and writing spreadsheet files in PHP, suffers from a vulnerability that allows attackers to bypass the Cross-site Scripting (XSS) sanitization process when using the javascript protocol and specific characters. This flaw affects several versions of the library, emphasizing the importance for users to upgrade to the latest versions (3.9.0, 2.3.7, 2.1.8, and 1.29.9) to mitigate potential security risks. As there are no known workarounds to address this vulnerability, updating is the only recommended action.

Affected Version(s)

PhpSpreadsheet >= 3.0.0, < 3.9.0 < 3.0.0, 3.9.0

PhpSpreadsheet >= 2.2.0, < 2.3.7 < 2.2.0, 2.3.7

PhpSpreadsheet >= 2.0.0, < 2.1.8 < 2.0.0, 2.1.8

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

x_refsource_CONFIRM

https://github.com/PHPOffice/PhpSpreadsheet/commit/cde292...

x_refsource_MISC

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2025
Vulnerability Reserved
Jan 13, 2025

PHPoffice

What is CVE-2025-23210?

Affected Version(s)

References

CVSS V4

Timeline