SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-31672

CVE-2025-31672: Apache POI Information Disclosure Flaw

CVE-2025-31672 is an information disclosure vulnerability in Apache POI affecting OOXML file parsing. Malicious zip entries with duplicate names can cause different data to be read. This article covers technical details, versions before 5.4.0, impact, and fixes.

Updated:

CVE-2025-31672 Overview

Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx, and pptx. These file formats are zip files, which makes it possible for malicious users to add zip entries with duplicate names (including the path) in the zip. Products reading the affected file may read different data because one of the zip entries with a duplicate name is selected over another, leading to inconsistent data handling.

Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read Apache POI Security Recommendations for recommendations on how to use the POI libraries securely.

Critical Impact

Affects data integrity due to inconsistent file parsing.

Affected Products

  • Apache POI
  • NetApp Active IQ Unified Manager

Discovery Timeline

  • 2025-04-09 - CVE CVE-2025-31672 published to NVD
  • 2025-07-15 - Last updated in NVD database

Technical Details for CVE-2025-31672

Vulnerability Analysis

This vulnerability arises from the improper input validation when parsing OOXML files. Malicious actors can exploit this by introducing zip entries with duplicate names, causing the application to process data incorrectly.

Root Cause

The root of the issue is the failure to validate zip entry names for uniqueness within OOXML files, leading to possible data discrepancies.

Attack Vector

This vulnerability can be exploited remotely via network access by providing specially crafted OOXML files.

java
// Example exploitation code (sanitized)
ZipFile zipFile = new ZipFile("malicious.xlsx");
Enumeration<? extends ZipEntry> entries = zipFile.entries();
while (entries.hasMoreElements()) {
    ZipEntry entry = entries.nextElement();
    // Process entry
}

Detection Methods for CVE-2025-31672

Indicators of Compromise

  • Unusual file access patterns in logs
  • Multiple instances of the same file being processed

Detection Strategies

Monitor network and file access logs for anomalies such as repeated access to the same file or unexpected decompression activities.

Monitoring Recommendations

Use SentinelOne’s Behavioral AI to track anomalous file handling and alert on suspicious multi-access trends that may indicate malicious activities exploiting this vulnerability.

How to Mitigate CVE-2025-31672

Immediate Actions Required

  • Block known malicious files using file hash blacklisting.
  • Restrict access to file processing services.
  • Educate employees about handling untrusted documents.

Patch Information

Upgrade to poi-ooxml 5.4.0 to mitigate this issue. This version includes checks to prevent processing files with duplicate zip entry names.

Workarounds

Implement a custom file parsing mechanism to validate zip entries' uniqueness before processing.

bash
# Configuration example
apt-get update
apt-get install -y poi-ooxml=5.4.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne