CVE-2025-31672 – This vulnerability allows attackers to create m... (How to Fix)

Q: What is the severity of CVE-2025-31672?

CVE-2025-31672 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows attackers to create malicious OOXML files (like Excel, Word, or PowerPoint documents) with duplicate zip entries that can cause different applications to interpret the same file differently. It affects any system using Apache POI poi-ooxml library versions before 5.4.0 to parse Office documents. The inconsistency in how duplicate entries are handled could lead to data integrity issues or unexpected behavior.

📋 TL;DR

This vulnerability allows attackers to create malicious OOXML files (like Excel, Word, or PowerPoint documents) with duplicate zip entries that can cause different applications to interpret the same file differently. It affects any system using Apache POI poi-ooxml library versions before 5.4.0 to parse Office documents. The inconsistency in how duplicate entries are handled could lead to data integrity issues or unexpected behavior.

💻 Affected Systems

Products:

Apache POI poi-ooxml

Versions: All versions before 5.4.0

Operating Systems: All operating systems running Java applications using affected POI versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that parse OOXML files (xlsx, docx, pptx) using the vulnerable POI library. Applications using other parsing methods or file formats are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Data manipulation or corruption where different systems process the same malicious document differently, potentially leading to incorrect business decisions, data loss, or security bypasses depending on how the parsed data is used.

🟠

Likely Case

Inconsistent document processing across different applications or systems, causing data integrity issues, parsing errors, or application crashes when handling specially crafted documents.

🟢

If Mitigated

Minimal impact with proper input validation and file scanning; applications would reject or safely handle malformed documents.

🌐 Internet-Facing: MEDIUM - Web applications accepting file uploads could be targeted with malicious documents, but exploitation requires specific parsing scenarios.

🏢 Internal Only: MEDIUM - Internal document processing systems could be affected if users open malicious documents, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM - Requires creating specially crafted OOXML files with duplicate zip entries and getting them processed by vulnerable systems.

Exploitation requires user interaction (opening a malicious document) or automated document processing systems. No public exploit code has been identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: poi-ooxml 5.4.0

Vendor Advisory: https://poi.apache.org/security.html

Restart Required: No

Instructions:

1. Identify all applications using Apache POI poi-ooxml. 2. Update Maven/Gradle dependencies to poi-ooxml version 5.4.0 or later. 3. Rebuild and redeploy affected applications. 4. Test document processing functionality.

🔧 Temporary Workarounds

Input validation and file scanning

all

Implement server-side validation to reject OOXML files with duplicate zip entries before processing.

Use alternative parsing libraries

all

Temporarily switch to alternative Office document parsing libraries while upgrading POI.

🧯 If You Can't Patch

Implement strict file upload validation and scanning for all OOXML documents
Restrict document processing to trusted sources and implement user awareness training about opening suspicious files

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency management file (pom.xml, build.gradle) for poi-ooxml version. Versions below 5.4.0 are vulnerable.

Check Version:

For Maven: mvn dependency:tree | grep poi-ooxml; For Gradle: gradle dependencies | grep poi-ooxml

Verify Fix Applied:

Verify poi-ooxml version is 5.4.0 or higher in dependencies and test parsing of OOXML files with duplicate zip entries (should throw exception).

📡 Detection & Monitoring

Log Indicators:

Exceptions related to zip parsing or duplicate entries in OOXML files
Unexpected document parsing errors or inconsistencies

Network Indicators:

Unusual patterns of OOXML file uploads to document processing systems

SIEM Query:

source="application_logs" AND ("duplicate entry" OR "zip entry" OR "OOXML parsing error") AND process="java"

📊 Metadata

CVE ID: CVE-2025-31672

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-20

EPSS Score: 1.01% exploit probability (76.6th percentile)

Published: April 9, 2025

Last Updated: July 15, 2025

🔗 References

https://bz.apache.org/bugzilla/show_bug.cgi?id=69620 Permissions Required
https://lists.apache.org/thread/k14w8vcjqy4h34hh5kzldko78kpylkq5 Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/08/2 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20250523-0004/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31672, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Poi by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation and file scanning

Use alternative parsing libraries

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities