CVE-2025-54370: 
PHP vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability has been identified in PhpSpreadsheet (CVE-2025-54370), a PHP library for reading and writing spreadsheet files. The vulnerability was discovered by Aleksey Solovev of Positive Technologies and affects multiple versions of the library including versions prior to 1.30.0, versions between 2.0.0 and 2.1.11, between 2.2.0 and 2.3.x, between 3.0.0 and 3.9.x, and between 4.0.0 and 4.x. The flaw was patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0 (Security Online, AttackerKB).

The vulnerability exists in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. When processing an HTML document containing malicious input, the code can be manipulated to make unauthorized requests from the vulnerable server. The vulnerability has been assigned a CVSS v4.0 score of 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) (GitHub Advisory).

The vulnerability could allow attackers to extract sensitive data from cloud metadata services, map internal infrastructure, or pivot into deeper parts of a network. Additionally, researchers noted that unsafe usage of the file_exists method when interacting with Phar archives could potentially lead to deserialization-based exploitation, potentially escalating from SSRF to remote code execution in certain contexts (Security Online).

Organizations are urged to update to the patched versions (1.30.0, 2.1.12, 2.4.0, 3.10.0, or 5.0.0). For those unable to update immediately, it's recommended to avoid passing untrusted HTML documents into PhpSpreadsheet's HTML reader and restrict outbound server connections to reduce the blast radius of any SSRF attempt. Security teams should also audit their environments for exposure to Phar-based payloads (Security Online).