CVE-2018-19277
Description
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PhpSpreadsheet up to 1.5.0 allows XXE bypass via UTF-7 encoding in .xlsx files, enabling XML external entity injection.
Vulnerability
The securityScan() function in PHPOffice PhpSpreadsheet through version 1.5.0 fails to properly detect XML external entity (XXE) definitions when the XML content is encoded with UTF-7. This allows an attacker to bypass the protection mechanism that scans for <!DOCTYPE patterns by using UTF-7 encoded <!DOCTYPE declarations in a .xlsx file. The affected versions are all releases up to and including 1.5.0 [1][2].
Exploitation
An attacker must provide a malicious .xlsx file containing an XML entity definition encoded in UTF-7. The file is processed by the library's spreadsheet reader, which calls securityScan() on the XML content. The protection mechanism uses a regular expression that matches the ASCII string <!DOCTYPE; UTF-7 encoding transforms the characters so the pattern does not match, allowing the XXE payload to load external entities. No authentication or special privileges are required beyond the ability to supply a crafted file to a PhpSpreadsheet consumer [1].
Impact
Successful exploitation allows an attacker to perform XML External Entity (XXE) injection, which can lead to disclosure of local files, denial of service via entity expansion, and potentially server-side request forgery if the XML parser supports URL-based external entities. The compromise occurs at the privilege level of the PHP process running the library [1][2].
Mitigation
The fix is implemented in commit 0f8f071 on the security/xml-scanner branch, which replaces the regex-based scanner with a proper XmlScanner class that uses libxml_disable_entity_loader() to disable external entities. Upgrading to version 1.6.0 or later, released after the commit, is recommended. Users unable to upgrade can disable external entity loading in their PHP configuration or use explicit libxml_disable_entity_loader() calls before processing XML. The TwigSpreadsheetBundle references the need for this update in issue #18 [1][2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpoffice/phpspreadsheetPackagist | < 1.5.1 | 1.5.1 |
phpoffice/phpexcelPackagist | < 1.8.2 | 1.8.2 |
Affected products
2- ghsa-coords2 versions
< 1.8.2+ 1 more
- (no CPE)range: < 1.8.2
- (no CPE)range: < 1.5.1
Patches
12b601574975aFix and improve XXE security scanning for XML-based Readers
2 files changed · +14 −1
changelog.txt+2 −1 modified@@ -23,7 +23,8 @@ ************************************************************************************** -Planned for 1.8.2 +2018-11-22 (v1.8.2): +- Security (MBaker) - Fix and improve XXE security scanning for XML-based Readers - Bugfix: (MBaker) - Fix to getCell() method when cell reference includes a worksheet reference - Bugfix: (ncrypthic) Work Item GH-570 - Ignore inlineStr type if formula element exists - Bugfix: (hernst42) Work Item GH-709 - Fixed missing renames of writeRelationShip (from _writeRelationShip)
Classes/PHPExcel/Reader/Abstract.php+12 −0 modified@@ -269,6 +269,18 @@ public function canRead($pFilename) */ public function securityScan($xml) { + $pattern = '/encoding="(.*?)"/'; + $result = preg_match($pattern, $xml, $matches); + if ($result) { + $charset = $matches[1]; + } else { + $charset = 'UTF-8'; + } + + if ($charset !== 'UTF-8') { + $xml = mb_convert_encoding($xml, 'UTF-8', $charset); + } + $pattern = '/\\0?' . implode('\\0?', str_split('<!DOCTYPE')) . '\\0?/'; if (preg_match($pattern, $xml)) { throw new PHPExcel_Reader_Exception('Detected use of ENTITY in XML, spreadsheet file load() aborted to prevent XXE/XEE attacks');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-xcrg-29h7-h4cjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19277ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2018-19277.yamlghsaWEB
- github.com/MewesK/TwigSpreadsheetBundle/issues/18ghsax_refsource_MISCWEB
- github.com/PHPOffice/PHPExcel/commit/2b601574975acfb9d4378a788ed5f2b747958095ghsaWEB
- github.com/PHPOffice/PHPExcel/commits/1.8.2ghsaWEB
- github.com/PHPOffice/PhpSpreadsheet/commit/0f8f071e24ee8b114d894ac172f77dc250e5bfa4ghsaWEB
- github.com/PHPOffice/PhpSpreadsheet/issues/771ghsax_refsource_MISCWEB
- github.com/PHPOffice/PhpSpreadsheet/pull/780ghsaWEB
- github.com/PHPOffice/PhpSpreadsheet/releases/tag/1.5.1ghsaWEB
- www.bishopfox.com/news/2018/11/phpoffice-versionsghsaWEB
- www.bishopfox.com/news/2018/11/phpoffice-versions/mitrex_refsource_MISC
- www.drupal.org/sa-contrib-2021-043ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.