CVE-2025-22131
published 2025-01-20CVE-2025-22131: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file…
PriorityP423medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.37%
29.0th percentile
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpoffice | phpexcel | 0 – 1.8.2 | — |
| phpoffice | phpspreadsheet | < 1.29.8 | 1.29.8 |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | >= 0 < 1.29.8 | 1.29.8 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.7 | 2.1.7 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.7 | 2.1.7 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.6 | 2.3.6 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.6 | 2.3.6 |
| phpoffice | phpspreadsheet | >= 3.0.0 < 3.8.0 | 3.8.0 |
| phpoffice | phpspreadsheet | >= 3.0.0 < 3.8.0 | 3.8.0 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
osv·2025-01-21
CVE-2025-22131 [MEDIUM] Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
### Summary
The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
### Details
When generating the HTML from an xlsx file containing multiple sheets, a navigation menu is created. This menu includes the sheet names, which are not sanitized. As a result, an attacker can exploit this vulnerability to execute JavaScript code.
```php
// Construct HTML
$html = '';
// Only if there are more than 1 sheets
if (count($sheets) > 1) {
// Loop all sheets
$sheetId = 0;
$html .= '' . PHP_EOL;
foreach ($sheets as $sheet) {
$html .= ' ' . $sheet->getTitle() . '' . PHP_EOL;
GHSA
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
ghsa·2025-01-21
CVE-2025-22131 [MEDIUM] CWE-79 Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
### Summary
The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
### Details
When generating the HTML from an xlsx file containing multiple sheets, a navigation menu is created. This menu includes the sheet names, which are not sanitized. As a result, an attacker can exploit this vulnerability to execute JavaScript code.
```php
// Construct HTML
$html = '';
// Only if there are more than 1 sheets
if (count($sheets) > 1) {
// Loop all sheets
$sheetId = 0;
$html .= '' . PHP_EOL;
foreach ($sheets as $sheet) {
$html .= ' ' . $sheet->getTitle() . '' . PHP_EOL;
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-20
Published