CVE-2025-31672 Overview
CVE-2025-31672 is an improper input validation vulnerability in Apache POI, the widely used Java library for reading and writing Microsoft Office file formats. The flaw affects parsing of OOXML files including .xlsx, .docx, and .pptx. Because these formats are ZIP archives, attackers can craft files containing duplicate ZIP entries with identical names. Different applications may select different entries when processing the file, leading to inconsistent data interpretation across systems. The issue affects poi-ooxml versions before 5.4.0 and is tracked under [CWE-20] (Improper Input Validation). NetApp Active IQ Unified Manager is also impacted as a downstream consumer of the library.
Critical Impact
Attackers can craft OOXML documents where security scanners, antivirus engines, and end-user applications read different content from the same file, enabling content-spoofing and policy-bypass attacks.
Affected Products
- Apache POI poi-ooxml versions prior to 5.4.0
- NetApp Active IQ Unified Manager (Linux, Windows, VMware vSphere)
- Any application embedding vulnerable versions of Apache POI for OOXML parsing
Discovery Timeline
- 2025-04-09 - CVE-2025-31672 published to NVD
- 2025-07-15 - Last updated in NVD database
Technical Details for CVE-2025-31672
Vulnerability Analysis
The vulnerability resides in how Apache POI processes OOXML container files. OOXML formats such as xlsx, docx, and pptx are ZIP archives containing XML parts that describe document structure and content. The ZIP specification does not prohibit multiple entries with identical names, and different ZIP readers handle duplicates inconsistently. Some implementations return the first matching entry, others return the last, and some surface an error.
Apache POI versions before 5.4.0 accepted OOXML files containing duplicate ZIP entry names without validation. An attacker can place two versions of a critical document part, such as word/document.xml or xl/sharedStrings.xml, inside a single file. A content inspection tool may parse the benign entry while the rendering application opens the malicious one. This parser-differential behavior enables bypass of antivirus, data-loss prevention, and content-filtering controls.
Root Cause
The library performed no uniqueness check on ZIP entry paths during OOXML package loading. The fix in poi-ooxml 5.4.0 adds a check that throws an exception when duplicate file names are detected in the input archive, refusing to parse ambiguous content.
Attack Vector
Exploitation requires network-reachable processing of an attacker-supplied document. No authentication or user interaction is required for systems that automatically ingest documents, such as email gateways, file scanners, document conversion services, or reporting pipelines. The attacker crafts a ZIP archive with duplicated entries pointing to different XML payloads and delivers the file through any channel that feeds Apache POI. The result is integrity loss rather than code execution: tools disagree about what the document contains.
// No verified proof-of-concept code is published.
// See the Apache Bug Report #69620 and the Apache mailing
// list discussion linked in the references for technical detail.
Detection Methods for CVE-2025-31672
Indicators of Compromise
- OOXML files where the central directory contains two or more entries sharing an identical normalized path
- Documents that render differently in Microsoft Office versus headless parsing pipelines using Apache POI
- File-scanning logs showing successful parse by security tooling but downstream errors or anomalies in end-user applications
Detection Strategies
- Inspect inbound .xlsx, .docx, and .pptx attachments by enumerating ZIP central directory entries and flagging duplicates
- Compare hashes of extracted parts when the same logical path appears more than once in a single archive
- Audit application logs for org.apache.poi warnings and for the new duplicate-entry exception introduced in 5.4.0
Monitoring Recommendations
- Track Apache POI library versions across Java application inventories and build pipelines using software composition analysis
- Monitor NetApp Active IQ Unified Manager release notes and apply vendor updates referencing NetApp Security Advisory NTAP-20250523-0004
- Alert on document-handling services that ingest user-supplied OOXML files without ZIP structure validation
How to Mitigate CVE-2025-31672
Immediate Actions Required
- Upgrade Apache POI poi-ooxml to version 5.4.0 or later in all applications, build artifacts, and container images
- Apply the NetApp Active IQ Unified Manager update referenced in advisory NTAP-20250523-0004
- Review the Apache POI security recommendations for safe handling of untrusted documents
Patch Information
Apache POI 5.4.0 resolves the issue by rejecting OOXML packages that contain duplicate ZIP entry names. The fix throws an exception during parsing rather than silently selecting one entry. Coordinate updates with downstream products such as NetApp Active IQ Unified Manager that bundle the library. Full discussion is available in the Apache Mailing List Discussion and Apache Bug Report #69620.
Workarounds
- Pre-validate OOXML uploads with a custom ZIP entry uniqueness check before passing data to vulnerable Apache POI versions
- Reject any document whose ZIP central directory contains repeated normalized paths
- Restrict document ingestion pipelines to authenticated sources where supplier integrity can be verified
# Maven dependency upgrade to the fixed version
# pom.xml
# <dependency>
# <groupId>org.apache.poi</groupId>
# <artifactId>poi-ooxml</artifactId>
# <version>5.4.0</version>
# </dependency>
mvn versions:set-property -Dproperty=poi.version -DnewVersion=5.4.0
mvn dependency:tree | grep poi-ooxml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
