GHSA-534c-hcr7-67jg
MEDIUMKimai has an XXE Leading to Local File Read
Blast Radius
kimai/kimaiReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Kimai uses PHPSpreadsheet for importing and exporting invoices. Recently, a CVE was identified in PHPSpreadsheet, which could lead to an XXE vulnerability.
Details
Exploitation requires an Administrator account, allowing the upload of an XLSX template containing the payload. The vulnerability is triggered by the following code snippet:
// https://github.com/kimai/kimai/blob/b1903ba18359be16dd32ea9c40377c486498f082/src/Invoice/Renderer/AbstractSpreadsheetRenderer.php#L41
public function render(InvoiceDocument $document, InvoiceModel $model): Response
{
$spreadsheet = IOFactory::load($document->getFilename());
$worksheet = $spreadsheet->getActiveSheet();
$entries = $model->getCalculator()->getEntries();
$sheetReplacer = $model->toArray();
$invoiceItemCount = \count($entries);
if ($invoiceItemCount > 1) {
$this->addTemplateRows($worksheet, $invoiceItemCount);
}
}
The IOFactory::load function utilizes simplexml_load_string, which has previously been demonstrated to be vulnerable to XXE attacks.
While this is not directly an XXE in Kimai, it does however impact the latest stable version.
PoC
By uploading a malicious XLSX template, the payload will be triggered every time an invoice is generated.
<?xml version="1.0" encoding='UTF-7' standalone="yes"?>
+ADw-!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "php://filter/......." > %xxe;]>.....
For a better a visibility, I will upload both a:
- Malicious template sample for testing
- An exported invoice, showing the contents of target file during the export.
Impact
Local File Read / RCE in edge cases where phar:// can be utilized with gadget chains .
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | kimai/kimai | all versions | 2.21.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for kimai/kimai. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update kimai/kimai to 2.21.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-534c-hcr7-67jg is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-534c-hcr7-67jg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-534c-hcr7-67jg. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-534c-hcr7-67jg in your dependencies?
O3 detects GHSA-534c-hcr7-67jg across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.