CVE-2024-45048 – This vulnerability in PHPSpreadsheet allows att... (How to Fix)

📋 TL;DR

This vulnerability in PHPSpreadsheet allows attackers to bypass XML filtering and perform XML External Entity (XXE) attacks. Attackers can read local files on the server even when error reporting is disabled. All applications using vulnerable versions of PHPSpreadsheet to process untrusted spreadsheet files are affected.

💻 Affected Systems

Products:

PHPSpreadsheet

Versions: Versions before 2.2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any PHP application using PHPSpreadsheet to process Excel/OpenDocument files from untrusted sources is vulnerable.

📦 What is this software?

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through file disclosure of sensitive configuration files, credentials, or other critical data, potentially leading to further attacks.

🟠

Likely Case

Unauthorized access to local files containing sensitive information such as configuration files, environment variables, or application source code.

🟢

If Mitigated

Limited impact if proper input validation and file upload restrictions are in place, though the vulnerability remains exploitable.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires uploading a malicious spreadsheet file to a vulnerable application. No authentication is needed if file upload functionality is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.1

Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7

Restart Required: No

Instructions:

1. Update composer.json to require "phpoffice/phpspreadsheet": "^2.2.1"
2. Run composer update phpoffice/phpspreadsheet
3. Test spreadsheet processing functionality

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

Disable file upload functionality for spreadsheet processing
Implement strict file type validation and reject all spreadsheet uploads

🔍 How to Verify

Check if Vulnerable:

Check composer.lock or vendor/phpoffice/phpspreadsheet/VERSION for version below 2.2.1

Check Version:

composer show phpoffice/phpspreadsheet | grep versions

Verify Fix Applied:

Confirm version is 2.2.1 or higher in composer.lock or vendor directory

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from PHP processes
Large XML parsing errors in application logs

Network Indicators:

Unexpected outbound connections from web server after file uploads

SIEM Query:

source="web_logs" AND (uri_path="*upload*" OR uri_path="*import*") AND file_extension IN ("xlsx", "ods", "xls")

📊 Metadata

CVE ID: CVE-2024-45048

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: August 28, 2024

Last Updated: September 4, 2024

🔗 References

https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda Patch
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45048, you might also want to check these: