VYPR
High severityNVD Advisory· Published Aug 25, 2025· Updated Apr 15, 2026

CVE-2025-54370

CVE-2025-54370

Description

PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpoffice/phpspreadsheetPackagist
< 1.30.01.30.0
phpoffice/phpspreadsheetPackagist
>= 2.0.0, < 2.1.122.1.12
phpoffice/phpspreadsheetPackagist
>= 2.2.0, < 2.4.02.4.0
phpoffice/phpspreadsheetPackagist
>= 3.0.0, < 3.10.03.10.0
phpoffice/phpspreadsheetPackagist
>= 4.0.0, < 5.0.05.0.0

Affected products

2

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.