A critical input validation vulnerability in PHPOffice PhpSpreadsheet allows unauthenticated attackers to achieve Remote Code Execution through malicious spreadsheet files.

The library fails to correctly sanitize file paths containing phar wrappers when provided with specific malformed input. This allows an unauthenticated attacker to bypass the File::prohibitWrappers check and trigger deserialization of phar metadata, leading to RCE on PHP 7.x environments.

This vulnerability carries a CVSS score of 9.2, reflecting its potential for full system compromise. Successful exploitation grants an attacker the ability to execute arbitrary code with the privileges of the web server user, leading to complete data exfiltration, unauthorized system access, and potential lateral movement within the network.

Immediate Action: Upgrade the PHPOffice PhpSpreadsheet library to version 1.30.5 or later immediately.

Proactive Monitoring: Monitor server logs for suspicious file access patterns or attempts to load unconventional file schemes such as phar://, php://, or data://.

Compensating Controls: Implement strict file upload validation policies that restrict file types and prohibit the use of external wrappers or remote file inclusion in application logic.

Public Exploit Available: false

Given the critical severity of this RCE vulnerability, organizations using PhpSpreadsheet must prioritize updating to version 1.30.5. Failure to patch allows trivial exploitation paths for attackers to gain persistent access to the underlying infrastructure.