CVE-2025-31672: 
Java vulnerability analysis and mitigation

Apache POI reported an Improper Input Validation vulnerability (CVE-2025-31672) discovered on April 9, 2025. The vulnerability affects the parsing of OOXML format files (xlsx, docx, and pptx) in Apache POI poi-ooxml versions before 5.4.0. These file formats, which are essentially zip files, can be manipulated by malicious users to include zip entries with duplicate names, potentially leading to inconsistent data processing across different systems (NVD, OpenWall).

The vulnerability stems from the way Apache POI handles zip entries in OOXML format files. When duplicate file names (including paths) exist within the zip structure, different products may select different zip entries with the same name, leading to inconsistent data interpretation. The issue has been assigned a CVSS 3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-20 (Improper Input Validation) (NVD, Rapid7).

The vulnerability can allow attackers to manipulate file parsing behavior through specially crafted OOXML files containing ZIP entries with duplicate file names. This manipulation can result in inconsistent data processing across different systems, potentially leading to security issues and data integrity concerns (Rapid7).

The vulnerability has been fixed in Apache POI poi-ooxml version 5.4.0, which implements a check that throws an exception when zip entries with duplicate file names are detected in the input file. Users are strongly recommended to upgrade to version 5.4.0. Additionally, users should consult the Apache POI security documentation at poi.apache.org/security.html for guidance on secure usage of the POI libraries (OpenWall, Apache Bugzilla).