CVE-2024-47873
📋 TL;DR
This vulnerability allows attackers to bypass XML external entity (XXE) protection in PhpSpreadsheet by exploiting UCS-4 encoding and encoding guessing weaknesses. It affects PHP applications that process untrusted spreadsheet files using vulnerable PhpSpreadsheet versions, potentially leading to sensitive data exposure or server-side request forgery.
💻 Affected Systems
- PHPOffice PhpSpreadsheet
📦 What is this software?
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure, internal network reconnaissance, or denial of service via entity expansion attacks.
Likely Case
Sensitive file disclosure from the server filesystem, including configuration files, source code, or credentials.
If Mitigated
Limited impact if proper input validation and network segmentation are in place, though some information disclosure may still occur.
🎯 Exploit Status
Exploitation requires the attacker to craft a malicious spreadsheet file that gets processed by the vulnerable library.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.4, 2.1.3, 2.3.2, or 3.4.0 depending on your major version
Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jw4x-v69f-hh5w
Restart Required: No
Instructions:
1. Identify your PhpSpreadsheet version. 2. Update via Composer: composer require phpoffice/phpspreadsheet:^1.9.4 (or appropriate version). 3. Test spreadsheet processing functionality.
🔧 Temporary Workarounds
Disable XML external entity processing
allConfigure PHP to disable external entity loading globally
php -i | grep libxml
Set libxml_disable_entity_loader(true) in PHP code
Input validation
allValidate and sanitize all spreadsheet file inputs before processing
🧯 If You Can't Patch
- Implement strict file type validation and reject any non-whitelisted spreadsheet formats
- Run PhpSpreadsheet in a sandboxed environment with restricted filesystem and network access
🔍 How to Verify
Check if Vulnerable:
Check composer.json or run: php -r "require 'vendor/autoload.php'; echo \PhpOffice\PhpSpreadsheet\Settings::VERSION;"Check Version:
composer show phpoffice/phpspreadsheet | grep versionsVerify Fix Applied:
Verify version is 1.9.4+, 2.1.3+, 2.3.2+, or 3.4.0+ and test with known malicious XXE payloads📡 Detection & Monitoring
Log Indicators:
- Unusual file read operations from PHP process
- Outbound HTTP requests to internal IPs from spreadsheet processing
Network Indicators:
- HTTP requests to internal services originating from web server during file upload processing
SIEM Query:
source="web_server" AND (uri_path="*upload*" OR uri_path="*import*") AND (http_user_agent="*PHP*" OR process="php")🔗 References
- https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jw4x-v69f-hh5w
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
- https://www.w3.org/TR/xml/#sec-guessing-no-ext-info
