Description
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in PhpSpreadsheet's SpreadsheetML XML reader allows processing files that contain an ss:Index attribute set far beyond the maximum row count. Because the library does not validate the attribute, the cachedHighestRow value inflates to about one billion. Subsequent calls to getRowIterator(), when no explicit upper bound is provided, iterate that inflated range, consuming extensive CPU time and memory, leading to a denial of service. The vulnerability is classified as a resource exhaustion flaw (CWE‑770).

Affected Systems

Vendors affected are PHPOffice:PhpSpreadsheet. All versions prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0 are vulnerable. Any PHP application that includes PhpSpreadsheet v1.x, v2.x, v3.x, or v5.x and accepts untrusted spreadsheet files may be impacted. The known fix is implementing the respective version or newer.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. EPSS is not available, so the current exploitation probability cannot be quantified, but the vulnerability is not listed in CISA KEV. An attacker who can supply a crafted SpreadsheetML XML file can trigger the denial of service by causing the library to iterate an exorbitant number of rows. The attack requires only the ability to feed the vulnerable application with a malicious file; no elevated privileges or special network exposure are needed—the vector is likely application-level if the file is uploaded or processed.

Generated by OpenCVE AI on May 12, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PhpSpreadsheet to version 1.30.4, 2.1.16, 2.4.5, 3.10.5, 5.7.0 or newer, where the ss:Index attribute is validated.
  • Configure your application to enforce a safe maximum row index when calling getRowIterator, and reject or sanitize files that contain ss:Index values greater than the allowed maximum.
  • Monitor resource usage of spreadsheet processing services and rate‑limit requests to prevent a single malicious file from exhausting server CPU.

Generated by OpenCVE AI on May 12, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-84wq-86v6-x5j6 PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
History

Wed, 13 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpoffice
Phpoffice phpspreadsheet
Vendors & Products Phpoffice
Phpoffice phpspreadsheet

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Title PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Phpoffice Phpspreadsheet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T22:04:29.510Z

Reserved: 2026-04-15T15:57:41.717Z

Link: CVE-2026-40863

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:33.783

Modified: 2026-05-12T22:16:33.783

Link: CVE-2026-40863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses