CVE-2025-23210: PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters
(updated )
Product: PhpSpreadsheet
Version: 3.8.0
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link
Impact: executing arbitrary JavaScript code in the browser
Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html
, method generateRow
Exploitation conditions: a user viewing a specially generated xml file
Mitigation: additional sanitization of special characters in a string
Researcher: Igor Sak-Sakovskiy (Positive Technologies)
References
Detect and mitigate CVE-2025-23210 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →