GHSA-gmg8-593g-7mv3

Source

https://github.com/advisories/GHSA-gmg8-593g-7mv3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-gmg8-593g-7mv3/GHSA-gmg8-593g-7mv3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gmg8-593g-7mv3

Aliases

CVE-2025-31672

Related

CGA-p724-2w94-mv7h

Published

2025-04-09T12:30:24Z

Modified

2025-04-18T19:03:06.140378Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Apache POI OOXML Vulnerable to Improper Input Validation in OOXML File Parsing

Details

Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file. Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read https://poi.apache.org/security.html for recommendations about how to use the POI libraries securely.

Database specific

{
    "nvd_published_at": "2025-04-09T12:15:15Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-10T13:46:10Z"
}

References

Affected packages

Maven / org.apache.poi:poi-ooxml

Package

Name: org.apache.poi:poi-ooxml; View open source insights on deps.dev
Purl: pkg:maven/org.apache.poi/poi-ooxml

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.0

Affected versions

3.*

3.5-beta4

3.5-beta5

3.5-beta6

3.5-FINAL

3.6

3.7-beta1

3.7-beta2

3.7-beta3

3.7

3.8-beta1

3.8-beta2

3.8-beta3

3.8-beta4

3.8-beta5

3.8

3.9

3.10-beta1

3.10-beta2

3.10-FINAL

3.10.1

3.11-beta1

3.11-beta2

3.11-beta3

3.11

3.12-beta1

3.12

3.13-beta1

3.13

3.14-beta1

3.14

3.15-beta1

3.15-beta2

3.15

3.16-beta1

3.16-beta2

3.16

3.17-beta1

3.17

4.*

4.0.0

4.0.1

4.1.0

4.1.1

4.1.2

5.*

5.0.0

5.1.0

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.5

5.3.0