CVE-2025-22131
📋 TL;DR
CVE-2025-22131 is a Cross-Site Scripting (XSS) vulnerability in PhpSpreadsheet that occurs when converting XLSX files to HTML for display. Attackers can inject malicious scripts into spreadsheets that execute when viewed through vulnerable web applications. This affects any PHP application using PhpSpreadsheet to display spreadsheet content in web responses.
💻 Affected Systems
- PHPOffice/PhpSpreadsheet
📦 What is this software?
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites by embedding malicious scripts in uploaded spreadsheets.
Likely Case
Attackers upload specially crafted spreadsheets containing XSS payloads that execute when administrators or users view the converted HTML output, potentially leading to session hijacking or client-side attacks.
If Mitigated
With proper input validation and output encoding, the impact is limited to potential data leakage from the spreadsheet content itself without script execution.
🎯 Exploit Status
Exploitation requires the ability to upload or provide XLSX files that get processed and displayed as HTML. The vulnerability is in the HTML conversion logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.0
Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-79xx-vf93-p7cx
Restart Required: No
Instructions:
1. Update PhpSpreadsheet to version 2.3.0 or later using Composer: composer require phpoffice/phpspreadsheet:^2.3.0
2. Run composer update
3. Test that spreadsheet-to-HTML functionality still works correctly
🔧 Temporary Workarounds
Disable HTML output
allTemporarily disable the HTML writer functionality that converts spreadsheets to HTML for web display
Implement output encoding
allManually apply HTML entity encoding to all spreadsheet content before displaying in web responses
🧯 If You Can't Patch
- Implement strict file upload validation and sanitization for XLSX files
- Use Content Security Policy (CSP) headers to mitigate XSS impact
🔍 How to Verify
Check if Vulnerable:
Check if your application uses PhpSpreadsheet and calls HTML writer methods like \PhpOffice\PhpSpreadsheet\Writer\Html. Review composer.json for phpoffice/phpspreadsheet version.Check Version:
composer show phpoffice/phpspreadsheet | grep versionsVerify Fix Applied:
After updating, verify the version is 2.3.0 or higher with composer show phpoffice/phpspreadsheet. Test that XLSX files with script tags no longer execute when converted to HTML.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads of XLSX files followed by HTML generation requests
- Errors in HTML writer processing
Network Indicators:
- HTTP requests with XSS payloads in spreadsheet upload parameters
- Unexpected script tags in HTML responses from spreadsheet endpoints
SIEM Query:
source="web_logs" AND (uri_path="*spreadsheet*" OR uri_path="*xlsx*") AND (http_method="POST" OR http_method="PUT") AND status_code=200