Đình Hải Lê

**Name of the Vulnerable Software and Affected Versions** Spreadsheet::ParseXLSX versions prior to 0.28 **Description** The issue arises from the memoize implementation not having appropriate constraints on merged cells, leading to an out-of-memory condition when parsing a crafted XLSX document. This can cause a denial of service. **Recommendations** For versions prior to 0.28, update to version 0.28 or later to resolve the issue. As a temporary workaround, consider implementing constraints on merged cells in the memoize implementation to prevent out-of-memory conditions.

**Name of the Vulnerable Software and Affected Versions** Spreadsheet::ParseExcel version 0.65 **Description** The issue is related to the evaluation of Number format strings within the Excel parsing logic, which allows for arbitrary code execution due to passing unvalidated input from a file into a string-type `eval`. This vulnerability can be exploited when processing XLS or XLSX files that include specially crafted number formatting rules. The problem is caused by the use of data from the processed file when building the `eval` call. **Recommendations** For Spreadsheet::ParseExcel version 0.65, upgrade to version 0.66 to fix the issue. As a temporary workaround, consider disabling the use of Number format strings within the Excel parsing logic until a patch is available. Restrict access to the `eval` function to minimize the risk of exploitation. Avoid using the `eval` function with unvalidated input from files.