The vulnerability in PhpSpreadsheet arises from the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method failing to validate the 'r' attribute of <row> elements against the maximum spreadsheet row limit (1,048,576). An attacker can exploit this by crafting a minimal XLSX file containing a <row r="999999999"/> element, which inflates the cachedHighestRow variable to 999,999,999. Subsequent row iterations then attempt to loop nearly one billion times, causing excessive CPU consumption and potential denial of service. This issue affects multiple versions of PhpSpreadsheet before the fixed releases 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. The CVSS v3.1 score is 7.5, indicating high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability (denial of service).

Successful exploitation results in denial of service due to CPU exhaustion when processing a malicious XLSX file with an inflated row number attribute. There is no impact on confidentiality or integrity. The vulnerability can be triggered remotely by an unauthenticated attacker supplying a crafted XLSX file to an application using the vulnerable PhpSpreadsheet versions.

Fixed versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0 of PhpSpreadsheet address this vulnerability by properly validating row numbers against the maximum allowed limit. Users should upgrade to one of these versions or later. Patch status is not explicitly stated beyond these fixed versions; therefore, verify with the vendor advisory for the latest remediation guidance. No other mitigation or temporary fix is indicated in the provided data.