The Spreadsheet::ParseXLSX package before 0.28 for Perl can encounter an out-of-memory condition during parsing of a crafted XLSX document. This occurs because the memoize implementation does not have appropriate constraints on merged cells.

• https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
• https://github.com/briandfoy/cpan-security-advisory/issues/131
• https://nvd.nist.gov/vuln/detail/CVE-2024-22368
• https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md
• https://metacpan.org/dist/Spreadsheet-ParseXLSX/changes
• https://github.com/advisories/GHSA-x2hg-844v-frvh

In default configuration of Spreadsheet::ParseXLSX, whenever we call Spreadsheet::ParseXLSX->new()->parse('user_input_file.xlsx'), we'd be vulnerable for XXE vulnerability if the XLSX file that we are parsing is from user input.

• https://metacpan.org/release/NUDDLEGG/Spreadsheet-ParseXLSX-0.30/changes
• https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a
• https://github.com/briandfoy/cpan-security-advisory/issues/134
• https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10
• https://github.com/advisories/GHSA-cxjh-j6f8-vrmf
• https://nvd.nist.gov/vuln/detail/CVE-2024-23525