CVE-2024-48917
📋 TL;DR
This vulnerability allows attackers to bypass XML external entity (XXE) protection in PhpSpreadsheet by using UTF-7 encoding tricks. Attackers can read local files, perform server-side request forgery, or cause denial of service. Any PHP application using vulnerable PhpSpreadsheet versions to process untrusted spreadsheet files is affected.
💻 Affected Systems
- PHPOffice/PhpSpreadsheet
📦 What is this software?
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure, SSRF to internal services, or denial of service via entity expansion attacks.
Likely Case
Local file disclosure from the server, potentially exposing sensitive configuration files or credentials.
If Mitigated
Limited impact if proper input validation and file upload restrictions are in place.
🎯 Exploit Status
Exploitation requires uploading a malicious spreadsheet file; public proof-of-concept exists in advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.4, 2.1.3, 2.3.2, or 3.4.0
Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7cc9-j4mv-vcjp
Restart Required: No
Instructions:
1. Update PhpSpreadsheet via Composer: composer require phpoffice/phpspreadsheet:^1.9.4 (or appropriate version). 2. Verify the update with composer show phpoffice/phpspreadsheet. 3. Test spreadsheet processing functionality.
🔧 Temporary Workarounds
Disable XXE processing in PHP
allConfigure PHP's libxml to disable external entity loading globally.
libxml_disable_entity_loader(true);
Validate file uploads
allRestrict uploaded files to trusted sources and validate file contents before processing.
🧯 If You Can't Patch
- Implement strict file upload validation and only accept spreadsheets from trusted sources.
- Use a WAF or application firewall to block malicious XML payloads in uploaded files.
🔍 How to Verify
Check if Vulnerable:
Check composer.json or run composer show phpoffice/phpspreadsheet to see if version is below patched versions.Check Version:
composer show phpoffice/phpspreadsheet | grep versionsVerify Fix Applied:
Verify the installed version is 1.9.4, 2.1.3, 2.3.2, or 3.4.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from PHP processes
- Errors related to XML parsing or external entity loading
Network Indicators:
- Outbound HTTP requests from the server to internal or external systems triggered by file uploads
SIEM Query:
source="php_error.log" AND ("XXE" OR "external entity" OR "UTF-7")🔗 References
- https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7cc9-j4mv-vcjp
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
