CVE-2025-23210
Description
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A bypass of the XSS sanitizer in PhpSpreadsheet allows attackers to inject arbitrary JavaScript via specially crafted spreadsheet files using the javascript protocol and special characters.
Description
The vulnerability resides in the generateRow method of the Html writer in PhpSpreadsheet. The library attempts to sanitize hyperlink URLs by checking if the scheme is allowed (e.g., http, https, file, ftp, mailto, s3). However, due to insufficient input validation, an attacker can craft a URL starting with javascript: and include special characters such as whitespace or control characters (e.g., javascript\x00:...) that bypass the scheme check. This allows the URL to be rendered as a hyperlink in the generated HTML output, leading to XSS when a user interacts with the link [1][2].
Exploitation
An attacker can create a malicious spreadsheet file (e.g., XML format) containing a hyperlink with a javascript: URL that includes control characters or whitespace. When a server-side application reads this file and converts it to HTML using PhpSpreadsheet's Html writer, the malicious URL is output without proper sanitization. A victim viewing the generated HTML page and clicking the link will trigger arbitrary JavaScript execution in their browser. No authentication is required beyond the ability to upload or influence the spreadsheet file [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the user's browser. This can lead to data theft, session hijacking, defacement, or other malicious actions, depending on the application's trust level and the user's privileges [2].
Mitigation
The vulnerability has been addressed in PhpSpreadsheet versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. The fix includes additional sanitization that strips control characters from the URL (see commit [4]). There are no known workarounds, so users are strongly advised to upgrade to the latest patched version [1][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpoffice/phpspreadsheetPackagist | >= 3.0.0, < 3.9.0 | 3.9.0 |
phpoffice/phpspreadsheetPackagist | < 1.29.9 | 1.29.9 |
phpoffice/phpspreadsheetPackagist | >= 2.2.0, < 2.3.7 | 2.3.7 |
phpoffice/phpspreadsheetPackagist | >= 2.0.0, < 2.1.8 | 2.1.8 |
phpoffice/phpexcelPackagist | <= 1.8.2 | — |
Affected products
41.0.0, 1.0.0-beta2, 1.1.0, …+ 1 more
- (no CPE)range: 1.0.0, 1.0.0-beta2, 1.1.0, …
- (no CPE)range: <1.29.9, >=2.0.0 <2.1.8, >=2.2.0 <2.3.7, >=3.0.0 <3.9.0
- ghsa-coords2 versions
<= 1.8.2+ 1 more
- (no CPE)range: <= 1.8.2
- (no CPE)range: >= 3.0.0, < 3.9.0
Patches
5414f8a2aa1d8ffb47b639649cf357183b1d18be52afdacaccde2926a9e2bVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.