CVE-2025-48882

Name of the Vulnerable Software and Affected Versions PHPOffice Math versions prior to 0.3.0

Description The issue allows an attacker to create a special XML file that, when processed, loads external entities, enabling the reading of local server files. This is due to the use of the libxml extension with the LIBXML DTDLOAD flag without additional filtration. The vulnerability applies only to reading files in the MathML format.

Recommendations For versions prior to 0.3.0, update to version 0.3.0 or later to fix the vulnerability. As a temporary workaround, consider filtering external entities through the implementation of a custom external entity loader function, such as using libxml set external entity loader, to minimize the risk of exploitation.