PhpSpreadsheet RCE Vulnerability: PoC Exploit Disclosed for 312 Million Users
Do Son 
PhpSpreadsheet is a widely used library written in pure PHP. It offers a robust set of classes to read and write formats like Excel and LibreOffice Calc. This library actively supports over 312 million downloads across the internet. Recently, security researchers disclosed a critical PhpSpreadsheet RCE vulnerability. Furthermore, they publicly released the proof-of-concept exploit details. This severe flaw empowers remote attackers to execute arbitrary code. Consequently, countless web applications currently face an immediate threat of compromise.
Understanding the CVE-2026-45034 Exploit
The newly discovered issue, officially tracked as CVE-2026-45034, is exceptionally dangerous. Specifically, this bug serves as a direct patch bypass for a previous vulnerability, CVE-2026-34084. The root cause lies within a specific helper function named File::prohibitWrappers. Initially, developers designed this helper to reject malicious stream wrappers like phar:// or php://. It relies on the parse_url function to extract and verify the URL scheme. Unfortunately, this implementation contains a fatal logical flaw. The check is not equivalent to “does the path contain a wrapper”.
The Slash Bypass Technique
Attackers can easily manipulate the input string to defeat the security check. When they use three or more slashes, such as phar:///path, the parse_url function fails. Instead of returning the scheme string, it simply returns a boolean false. Because of this, the subsequent security checks are completely skipped. The helper function then returns without throwing any exceptions. Meanwhile, PHP’s internal stream layer still recognizes the phar wrapper correctly. As a result, the application opens the dangerous file anyway.
Achieving Remote Code Execution
The exploitation impact heavily depends on the active PHP version. On PHP 7.x, merely reaching the phar wrapper via is_file triggers automatic deserialization. This automatic process invokes attacker-controlled magic methods, ultimately yielding full RCE. Conversely, PHP 8.x removed this automatic metadata deserialization feature. Therefore, the exploit reduces to a file read primitive on modern versions. However, full remote execution still resurfaces if the application manually calls Phar::getMetadata later. The proof-of-concept uses an exploit.phar file to easily demonstrate this complete attack chain.
Securing Your PHP Applications
Administrators must address this PhpSpreadsheet RCE vulnerability immediately. Security experts strongly advise against using parse_url to detect wrappers. Its behavior inconsistently depends on the slash count and specific PHP versions. Instead, developers should implement a strict string containment check. Additionally, validating paths through realpath() provides excellent protection against these wrappers. Currently, all 1.x branch versions up to 1.30.4 remain vulnerable to this bypass. To guarantee safety, users must upgrade to the newly patched version 1.30.5.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
