CVE-2025-23210 MEDIUM

CVE-2025-23210: Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet

Vendor Phpoffice

Product PhpSpreadsheet

Weakness CWE-79 · XSS

Published February 3, 2025

Last update February 4, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

Disclosure timeline

February 3, 2025 CVE published

February 4, 2025 Record updated

Identifiers

CVE CVE-2025-23210

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 3.0.0, < 3.9.0

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.2.0, < 2.3.7

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.0.0, < 2.1.8

Vendor Phpoffice

Product PhpSpreadsheet

Affected < 1.29.9