← Back
CVE-2026-34084
critical
CVSS 9.8
Unsafe Deserialization in phpoffice/phpspreadsheet (CVE-2026-34084)
Summary
vulnerability in phpoffice/phpspreadsheet (CVE-2026-34084). Successful exploitation can lead to full system takeover. Exploitable via ``is_file``. Mitigation: upgrade to `1.30.3` or later.
AI summary openai / gpt-4o
A significant bug has been found in PhpSpreadsheet that could allow attackers to execute code remotely by exploiting specially crafted file paths. This vulnerability can seriously compromise your system. Updating to the patched version promptly is critical to avoid potential damage.
The vulnerability in PhpSpreadsheet's IOFactory::load method allows an attacker to misuse the user-controlled $filename parameter, primarily due to improper use of the is_file function. Versions affected are up to 1.30.2, with the patch released in 1.30.3. Attacks can use PHP wrappers like phar:// to execute RCE or SSRF. To mitigate, it is recommended to run 'composer require phpoffice/phpspreadsheet:^1.30.3'.
❓ What is the problem
Improper handling of user-controlled file paths in PhpSpreadsheet's IOFactory::load leads to SSRF/RCE.
📍 Affected scope
PhpSpreadsheet's IOFactory::load function uses vulnerable handling of $filename, affected up to version 1.30.2.
🔥 Severity
Critical severity, allows remote code execution and server-side request forgery.
🔧 How to fix
Upgrade to PhpSpreadsheet 1.30.3 or later using 'composer require phpoffice/phpspreadsheet:^1.30.3'.
🛡️ Workaround
No workaround available other than updating to the patched version.
🔍 Detection
Look for unauthorized file access patterns in logs, specifically with FTP, Phar, and SSH2.SFTP protocols.
Related past incidents Similar incidents extracted from past CVEs
PhpSpreadsheet prior 1.28.1 also had an SSRF vulnerability due to unsafe input handling in file paths.
PHP-FPM in PHP 7.3 had an RCE vulnerability similar in impact, exploiting incorrect path validation.
Unrelated software exploited PHP path misconfigurations, highlighting similar impact patterns.
If this happens at your company Expected impact per business scenario
📌 ECサイトの場
攻撃者が商品情報を外部のFTPサーバに流出させる原因になり、信頼失墜を招くリスク。
📌 業務SaaSの場
内部情報が漏洩し、機密性のあるデータが攻撃者により悪用される可能性。
📌 社内システムの場
攻撃者が管理者権限を乗っ取り、システム全体を不正操作される恐れ。
Recommended action
全サーバーに対して早急に最新の修正版にアップデートし、不正アクセスの監査を実施すること。
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'phpoffice/phpspreadsheet' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `phpoffice/phpspreadsheet` を grep し、稼働しているサービス・バージョンを把握する。
-
2Match against affected range verify
Confirm if version satisfies `>= 4.0.0, <= 5.5.0`Step 1 で見つかったバージョンが影響範囲 `>= 4.0.0, <= 5.5.0` に該当するか照合。本番で稼働中ならインシデント扱い。
-
6Apply patch patch
Upgrade phpoffice/phpspreadsheet to 1.30.3ステージング環境で 1.30.3 に上げて回帰テスト → 本番反映。回帰テストはアプリの主要ハッピーパスと、Step 3 で見つけた異常検知の続報チェックを含めること。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
Affected packages
composer
phpoffice/phpspreadsheet
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.30.3"}]}]
Packagist
phpoffice/phpspreadsheet
[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.30.3"}]}]