CVE-2025-48882: PHPOffice Math allows XXE when processing an XML file in the MathML format

Product: Math Version: 0.2.0 CWE-ID: CWE-611: Improper Restriction of XML External Entity Reference CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Description: An attacker can create a special XML file, during which it processed, external entities are loaded, and it’s possible to read local server files. Impact: Local server files reading Vulnerable component: The loadXML function with the unsafe LIBXML_DTDLOAD flag, the MathML class Exploitation conditions: The vulnerability applies only to reading a file in the MathML format. Mitigation: If there is no option to refuse using the LIBXML_DTDLOAD flag, it’s recommended to filter external entities through the implementation of the custom external entity loader function. Researcher: Aleksandr Zhurnakov (Positive Technologies)