CVE-2024-45290

Name of the Vulnerable Software and Affected Versions PHPSpreadsheet versions prior to 1.29.2 PHPSpreadsheet versions prior to 2.1.1 PHPSpreadsheet versions prior to 2.3.0

Description It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PHPSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted php://filter URLs, an attacker can leak the contents of any file or URL. An attacker can access any file on the server, or leak information from arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials.

Recommendations For PHPSpreadsheet versions prior to 1.29.2, update to version 1.29.2 or later. For PHPSpreadsheet versions prior to 2.1.1, update to version 2.1.1 or later. For PHPSpreadsheet versions prior to 2.3.0, update to version 2.3.0 or later. As a temporary workaround, consider disabling the setPath() function until a patch is available. Restrict access to the vulnerable xl/drawings/ rels/drawing1.xml.rels file to minimize the risk of exploitation. Avoid using the php://filter URLs in the affected API endpoint until the issue is resolved.