CVE-2025-23210

Name of the Vulnerable Software and Affected Versions phpoffice/phpspreadsheet versions prior to 1.29.9 phpoffice/phpspreadsheet versions prior to 2.1.8 phpoffice/phpspreadsheet versions prior to 2.3.7 phpoffice/phpspreadsheet versions prior to 3.9.0

Description The issue is related to a bypass of the Cross-site Scripting (XSS) sanitizer in phpoffice/phpspreadsheet, a pure PHP library for reading and writing spreadsheet files. This bypass is achieved using the javascript protocol and special characters. An attacker can use special characters to generate an HTML link that, when clicked, executes arbitrary JavaScript code in the browser. The vulnerable component is the PhpOfficePhpSpreadsheetWriterHtml class, specifically the generateRow method. The exploitation conditions involve a user viewing a specially generated XML file.

Recommendations For versions prior to 1.29.9, upgrade to version 1.29.9 or later. For versions prior to 2.1.8, upgrade to version 2.1.8 or later. For versions prior to 2.3.7, upgrade to version 2.3.7 or later. For versions prior to 3.9.0, upgrade to version 3.9.0 or later. As a temporary workaround, consider additional sanitization of special characters in strings to minimize the risk of exploitation.