CVE-2019-12331: XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.5486%
CWE
Published
11/20/2019
Updated
3/6/2025
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
phpoffice/phpspreadsheet | composer | < 1.8.0 | 1.8.0 |
phpoffice/phpexcel | composer | <= 1.8.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from incomplete handling of encoding conversions in XML parsing. The XmlScanner
's scan
method relied on a regex check after a single charset conversion, which could be bypassed via double-encoded UTF-7. The toUtf8
method (in pre-1.8.0 versions) didn't re-validate the charset after conversion, allowing the payload to pass undetected. The fix in 1.8.0 added a second charset check in toUtf8
and improved libxml
entity loader management, confirming these functions as the vulnerability points.