Cyber Resilience

CVE-2024-45293

HighPublic PoC

Published: 07 October 2024

Published
07 October 2024
Modified
07 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7163 98.8th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45293 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Phpoffice Phpspreadsheet. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. CVE-2024-45293 is an XML External Entity (XXE) vulnerability in its XLSX reader that stems from a flawed encoding check inside the toUtf8 function of src/PhpSpreadsheet/Reader/Security/XmlScanner.php. The regex intended to detect the XML encoding declaration only matches encoding="*" or encoding='*'; any whitespace around the equals sign causes the check to fail, defaulting to UTF-8 and allowing a UTF-7 encoded XXE payload to bypass the security scanner.

An unauthenticated attacker who can upload XLSX files to a server that processes them with PHPSpreadsheet can supply a crafted spreadsheet that triggers the XXE and reads arbitrary server files or other sensitive information. The attack requires no user interaction and is exploitable over the network with low attack complexity, corresponding to the CVSS 7.5 rating and CWE-611 classification.

The GitHub Security Advisory GHSA-6hwr-6v2f-3m88 states that the issue has been fixed in PHPSpreadsheet releases 1.29.1, 2.1.1, and 2.3.0 and that no workarounds exist; all users are advised to upgrade immediately.

The EPSS score currently stands at 0.7163, its recorded peak, with no material rise from a low baseline after disclosure.

EU & UK References

Vulnerability details

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users…

more

to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpoffice
phpspreadsheet
≤ 1.29.1 · 2.0.0 — 2.1.1 · 2.2.0 — 2.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-611

Penetration testing includes XML external entity payloads, detecting XXE vulnerabilities and enabling their mitigation.

addresses: CWE-611

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

References