5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31672

GHSA ID

GHSA-gmg8-593g-7mv3

EPSS Score

0.20268%

CWE

CWE-20

Published

4/9/2025

Updated

4/18/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-31672

CVE-2025-31672: Apache POI OOXML Vulnerable to Improper Input Validation in OOXML File Parsing

Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-31672

GHSA ID

GHSA-gmg8-593g-7mv3

EPSS Score

0.20268%

CWE

CWE-20

Published

4/9/2025

Updated

4/18/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.poi:poi-ooxml	maven	< 5.4.0	5.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the improper validation of OOXML files, which are essentially zip archives. Malicious users can craft files with duplicate zip entry names. The fix involves adding checks to detect and throw an exception when such duplicate entries are found.

ZipInputStreamZipEntrySource.ZipInputStreamZipEntrySource: This constructor is directly involved in reading zip entries. The patch explicitly adds logic to track filenames and throw an InvalidZipException if a duplicate is encountered. This is a primary vulnerable function that was fixed.
ZipSecureFile.validateEntryNames: This method already contained logic to detect duplicate names. The patch makes minor changes (making variables final). While not the direct fix, it's a key function involved in the validation process. The vulnerability existed because this check might not have been called or its results handled correctly in all scenarios prior to the patch.
OPCPackage.open (multiple overloads): These methods are high-level entry points for opening and parsing OOXML packages. The patches modify them to catch the newly introduced InvalidZipException (originating from lower-level zip processing) and rethrow it as an InvalidFormatException. This shows that these methods previously did not handle the duplicate entry scenario correctly and would proceed with parsing, leading to the vulnerability.
PackageHelper.open: This is another utility method for opening packages. It calls OPCPackage.open and its exception handling was updated in relation to the InvalidFormatException that can now be caused by duplicate entries.

The test cases added in TestXSSFWorkbook.java (e.g., testDuplicateFileReadAsOPCFile, testDuplicateFileReadAsFile, testDuplicateFileReadAsStream) confirm that opening a specially crafted file (duplicate-file.xlsx) now results in exceptions (InvalidFormatException or InvalidZipException), whereas previously it would have been processed, demonstrating the fix for the vulnerability in the XSSFWorkbook constructor and underlying OPCPackage.open calls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r Input V*li**tion vuln*r**ility in *p**** POI. T** issu* *****ts t** p*rsin* o* OOXML *orm*t *il*s lik* xlsx, *o*x *n* pptx. T**s* *il* *orm*ts *r* **si**lly zip *il*s *n* it is possi*l* *or m*li*ious us*rs to *** zip *ntri*s wit* *upli**t* n

Reasoning

T** vuln*r**ility li*s in t** improp*r v*li**tion o* OOXML *il*s, w*i** *r* *ss*nti*lly zip *r**iv*s. M*li*ious us*rs **n *r**t *il*s wit* *upli**t* zip *ntry n*m*s. T** *ix involv*s ***in* ****ks to **t**t *n* t*row *n *x**ption w**n su** *upli**t*

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-31672: Apache POI OOXML Vulnerable to Improper Input Validation in OOXML File Parsing

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI