Login Sign Up

CVE-2024-45291

6.3 MEDIUM
Remote Code Execution SSRF

📋 TL;DR

PHPSpreadsheet has a vulnerability where attackers can create malicious XLSX files that cause arbitrary file reads and Server-Side Request Forgery when image embedding is enabled. This affects all PHPSpreadsheet users with setEmbedImages(true) enabled. In worst cases with expect:// wrapper enabled, remote code execution is possible.

💻 Affected Systems

Products:
  • PHPSpreadsheet
Versions: All versions before 1.29.2, 2.1.1, and 2.3.0
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when setEmbedImages(true) is enabled in HTML writer configuration.

📦 What is this software?

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution via expect:// wrapper leading to full system compromise, arbitrary file disclosure, and SSRF attacks against internal services.

🟠

Likely Case

Arbitrary file reads exposing sensitive configuration files, credentials, and SSRF attacks against internal network services.

🟢

If Mitigated

Limited impact if image embedding is disabled or proper file upload restrictions are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires file upload capability and setEmbedImages(true) enabled. No authentication bypass needed beyond file upload access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.29.2, 2.1.1, or 2.3.0

Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4

Restart Required: No

Instructions:

1. Update PHPSpreadsheet via Composer: composer require phpoffice/phpspreadsheet:^1.29.2 (or ^2.1.1 or ^2.3.0). 2. Verify update with composer show phpoffice/phpspreadsheet. 3. Test spreadsheet processing functionality.

🔧 Temporary Workarounds

Disable image embedding

all

Set setEmbedImages(false) or remove the call entirely from HTML writer configuration.

$writer->setEmbedImages(false);

🧯 If You Can't Patch

  • Disable image embedding in all HTML writer configurations
  • Implement strict file upload validation rejecting XLSX files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check if setEmbedImages(true) is used in code and PHPSpreadsheet version is below 1.29.2, 2.1.1, or 2.3.0.

Check Version:

composer show phpoffice/phpspreadsheet | grep versions

Verify Fix Applied:

Verify PHPSpreadsheet version is 1.29.2+, 2.1.1+, or 2.3.0+ and test with sample XLSX files containing external image references.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file read operations from PHPSpreadsheet process
  • Outbound HTTP requests to internal IPs from spreadsheet processing

Network Indicators:

  • HTTP requests to internal services triggered by file processing
  • Data exfiltration via data: URLs in output

SIEM Query:

source="php" AND (process="phpspreadsheet" OR message="setEmbedImages") AND (event="file_read" OR event="http_request")

📊 Metadata

CVE ID: CVE-2024-45291
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-36
Published: October 7, 2024
Last Updated: October 16, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45291, you might also want to check these:

CVE-2023-3765 10.0

This vulnerability allows attackers to perform absolute path traversal attacks in MLflow deployments...

Same vulnerability type (CWE-36)
CVE-2025-0851 9.8

A path traversal vulnerability in Deep Java Library's ZipUtils.unzip and TarUtils.untar functions al...

Same vulnerability type (CWE-36)
CVE-2024-9924 9.8

This vulnerability allows unauthenticated remote attackers to download arbitrary system files from O...

Same vulnerability type (CWE-36)