CVE-2025-31672 - Improper Input Validation Vulnerability in Apache POI: Duplicate Zip Entries Issue and How to Fix It

Apache POI, a widely used library for reading and writing Microsoft Office file formats like .xlsx, .docx, and .pptx, has a vulnerability named CVE-2025-31672. It involves improper input validation and affects the parsing of OOXML format files. This post will discuss the vulnerability's issue, provide code snippets and original references, and explain how to mitigate the risks posed by this exploit.

The Issue

When parsing OOXML format files, Apache POI may be affected by a vulnerability that allows malicious users to create zip entries with duplicate names. Since these files are essentially zip files, an attacker can add duplicate names (including the path) in the zip. Consequently, when opening the affected files, different products may read various data as they choose different zip entries with duplicate names. This vulnerability affects Apache POI poi-ooxml before version 5.4..

The Solution

Upgrade to Apache POI poi-ooxml 5.4. or above to fix this issue. A check has been introduced in the mentioned version that throws an exception if zip entries with duplicate file names are found in the input file.

Code Snippet

Apache POI poi-ooxml 5.4. ensures that only one zip entry with a specific name exists in the zip file. The code snippet below demonstrates this check:

public void validateZipEntries(ZipArchiveInputStream zipInputStream) {
  HashSet<String> entryNames = new HashSet<>();
  ZipArchiveEntry zipEntry;

  while ((zipEntry = zipInputStream.getNextZipEntry()) != null) {
    if (entryNames.contains(zipEntry.getName())) {
      throw new IllegalStateException("Duplicate zip entry found: " + zipEntry.getName());
    }
    entryNames.add(zipEntry.getName());
  }
}

Original Reference Links

1. Apache POI Security: https://poi.apache.org/security.html
2. Apache POI CVE Details: https://poi.apache.org/cve.html

Exploit Details

Malicious users can exploit the CVE-2025-31672 vulnerability by creating OOXML files with multiple zip entries containing duplicate names. When an application relies on Apache POI libraries to parse these files, it may read an entry different from what other applications with different parsers would read. As a result, inconsistent data might be processed, which could lead to various potential attacks based on the context.

Conclusion

It is essential to update your Apache POI poi-ooxml to version 5.4. or higher to address the CVE-2025-31672 vulnerability. This update fixes the improper input validation issue and provides a secure environment for processing OOXML files. Ensure that you read the recommendations on securely using the POI libraries at https://poi.apache.org/security.html, and keep your software up-to-date to prevent any risks.

Timeline

Published on: 04/09/2025 12:15:15 UTC
Last modified on: 04/18/2025 17:15:34 UTC