Phpoffice · Phpoffice Math · CVE-2025-48882
**Name of the Vulnerable Software and Affected Versions**
PHPOffice Math versions prior to 0.3.0
**Description**
The issue allows an attacker to create a special XML file that, when processed, loads external entities, enabling the reading of local server files. This is due to the use of the `libxml` extension with the `LIBXML DTDLOAD` flag without additional filtration. The vulnerability applies only to reading files in the MathML format.
**Recommendations**
For versions prior to 0.3.0, update to version 0.3.0 or later to fix the vulnerability. As a temporary workaround, consider filtering external entities through the implementation of a custom external entity loader function, such as using `libxml set external entity loader`, to minimize the risk of exploitation.