CVE-2025-54370 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting the PHPOffice PhpSpreadsheet library, a widely used PHP library for reading and writing spreadsheet files. The vulnerability exists in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where user-supplied input is passed unsafely to the HTML reader component. Specifically, when an HTML document is processed and displayed in a browser, a crafted string can trigger SSRF, allowing an attacker to make arbitrary HTTP requests from the server hosting the vulnerable application. This can lead to unauthorized internal network scanning, access to internal services, or exploitation of other vulnerabilities within the internal network. The issue affects multiple versions of PhpSpreadsheet prior to 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, with patches released in these versions to remediate the flaw. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity, with characteristics including network attack vector, no required privileges or user interaction, and high impact on confidentiality due to the ability to access internal resources. No known exploits are currently reported in the wild, but the potential for exploitation is significant given the library’s widespread use in PHP applications handling spreadsheet files, especially those that render HTML content derived from user input or untrusted sources.

For European organizations, the impact of this SSRF vulnerability can be substantial. Many enterprises and public sector entities in Europe rely on PHP-based web applications that utilize PhpSpreadsheet for document processing and reporting. Exploitation of this vulnerability could allow attackers to pivot from the exposed web server into internal networks, potentially accessing sensitive data, internal APIs, or administrative interfaces that are not otherwise exposed externally. This could lead to data breaches, disruption of internal services, or further lateral movement within the network. Given the strict data protection regulations in Europe, such as GDPR, any data exposure resulting from this vulnerability could also lead to significant legal and financial penalties. Additionally, critical infrastructure and government services that use PHP applications with PhpSpreadsheet could face operational risks if attackers leverage SSRF to disrupt or manipulate internal systems.

European organizations should immediately verify the versions of PhpSpreadsheet in use and upgrade to the patched versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, or 5.0.0 as applicable. Beyond upgrading, organizations should implement strict input validation and sanitization on any user-supplied data that is processed by PhpSpreadsheet, especially data that influences HTML rendering or file paths. Network-level controls should be enforced to restrict outbound HTTP requests from web servers to only necessary destinations, using egress filtering and web application firewalls (WAFs) configured to detect and block SSRF patterns. Additionally, internal services should be segmented and protected with strong authentication and authorization controls to limit the impact of any SSRF exploitation. Logging and monitoring should be enhanced to detect unusual outbound requests from web servers, which may indicate exploitation attempts. Finally, organizations should conduct security assessments and penetration testing focused on SSRF vectors in their PHP applications to identify and remediate any residual risks.