Login Sign Up

CVE-2024-45293

7.5 HIGH
XXE

📋 TL;DR

This vulnerability in PHPSpreadsheet allows attackers to bypass XML security scanning by using whitespace manipulation in XLSX files, enabling XXE attacks. It affects servers that allow user-uploaded Excel files processed by vulnerable PHPSpreadsheet versions. Successful exploitation can lead to sensitive file disclosure from the server.

💻 Affected Systems

Products:
  • PHPSpreadsheet
Versions: All versions before 1.29.1, 2.1.1, and 2.3.0
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems that process user-uploaded XLSX files using PHPSpreadsheet's XLSX reader.

📦 What is this software?

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server file system disclosure including configuration files, credentials, and sensitive data through XXE attacks.

🟠

Likely Case

Partial file disclosure from web-accessible directories and server information leakage.

🟢

If Mitigated

No impact if proper input validation and file processing restrictions are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user ability to upload XLSX files; the vulnerability itself is simple to trigger with basic XML manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.29.1, 2.1.1, or 2.3.0

Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6hwr-6v2f-3m88

Restart Required: No

Instructions:

1. Update PHPSpreadsheet via Composer: composer require phpoffice/phpspreadsheet:^1.29.1 (or ^2.1.1 or ^2.3.0 depending on your major version). 2. Verify the update completed successfully. 3. Test XLSX file processing functionality.

🔧 Temporary Workarounds

No official workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Disable XLSX file upload functionality entirely
  • Implement strict file type validation and process uploaded files in isolated sandbox environments

🔍 How to Verify

Check if Vulnerable:

Check your composer.json or installed packages for PHPSpreadsheet version below 1.29.1, 2.1.1, or 2.3.0

Check Version:

composer show phpoffice/phpspreadsheet | grep versions

Verify Fix Applied:

Verify PHPSpreadsheet version is 1.29.1, 2.1.1, or 2.3.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns from PHP processes
  • Large XML parsing errors in application logs
  • Multiple failed XLSX upload attempts

Network Indicators:

  • Outbound connections from web server to internal services following XLSX uploads
  • Unusual HTTP requests with XLSX file uploads

SIEM Query:

source="web_logs" AND (file_extension="xlsx" OR file_extension="xls") AND (status=500 OR status=400) AND size>1000000

📊 Metadata

CVE ID: CVE-2024-45293
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-611
Published: October 7, 2024
Last Updated: March 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45293, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)