Description
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PhpSpreadsheet does not validate the row number specified in an XLSX file’s <row> element. An attacker can create a minimal spreadsheet containing a row with a very large number, such as <row r="999999999"/>. The reader records this value as the highest row and then iterates over that many rows, resulting in roughly one billion loop iterations that consume CPU resources and can exhaust a processing server’s CPU. The attack does not provide code execution, but it can render the application or server unavailable until resources are freed.

Affected Systems

The vulnerability affects the PhpSpreadsheet library distributed by PHPOffice. Versions earlier than 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0 are impacted. Upgrading to any of those fixed releases or later mitigates the issue.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is an attacker sending a crafted XLSX file to an application that reads spreadsheets, prompting the application to perform the CPU‑intensive row iteration. The exploit requires only the ability to supply an XLSX file, which is often a normal user operation, making the vulnerability exploitable under typical usage scenarios.

Generated by OpenCVE AI on May 12, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PhpSpreadsheet to version 1.30.4 or later (or to 2.1.16, 2.4.5, 3.10.5, or 5.7.0).
  • Before processing an XLSX file, check that any <row r="…"> attribute does not exceed the maximum allowed row count (1,048,576) and reject or truncate files that violate this constraint.
  • Configure PHP or the host environment to limit script execution time and CPU usage for spreadsheet processing, or run the processing in a sandboxed context to contain any denial‑of‑service impact.

Generated by OpenCVE AI on May 12, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7c6m-4442-2x6m PhpSpreadsheet has CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions
History

Wed, 13 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpoffice
Phpoffice phpspreadsheet
Vendors & Products Phpoffice
Phpoffice phpspreadsheet

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Title PhpSpreadsheet: CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Phpoffice Phpspreadsheet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T22:02:39.802Z

Reserved: 2026-04-15T16:37:22.767Z

Link: CVE-2026-40902

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:33.923

Modified: 2026-05-12T22:16:33.923

Link: CVE-2026-40902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:45:25Z

Weaknesses