Apache POI < 5.4.0 Improper Input Validation

🗓️ 11 Apr 2025 00:00:00Reported by TenableType

Apache POI versions before 5.4.0 have improper input validation affecting OOXML file parsing.

Reporter	Title	Published	Views	Family All 60
IBM Security Bulletins	Security Bulletin: There is a vulnerability in poi-ooxml-5.3.0.jarused by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2025-31672)	26 Jun 202505:44	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Observability with Instana (OnPrem) is affected by multiple vulnerabilities	31 Jul 202514:21	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in Apache POI library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2025-31672)	17 Jun 202509:26	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager for March 2026 - Multiple CVEs addressed	26 Mar 202606:10	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache affects IBM watsonx Orchestrate with watsonx Assistant Cartridge	11 Aug 202517:42	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by an improper input validation vulnerability in Apache POI (CVE-2025-31672)	29 Sep 202520:55	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect Data Virtualization on IBM Software Hub (August 2025 - Part 1 of 2)	2 Sep 202518:13	–	ibm
IBM Security Bulletins	Security Bulletin: Common vulnerabilities addressed in Cloudera Observability 3.6.2	9 Mar 202617:07	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Operations Analytics - Log Analysis is affected by potential data integrity and denial of service due to Apache POI	6 Apr 202614:33	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by vulnerabilities in Apache POI	29 Jan 202605:08	–	ibm

Source	Link
lists	www.lists.apache.org/thread/k14w8vcjqy4h34hh5kzldko78kpylkq5
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(234190);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/20");

  script_cve_id("CVE-2025-31672");
  script_xref(name:"IAVB", value:"2025-B-0052");

  script_name(english:"Apache POI < 5.4.0 Improper Input Validation");

  script_set_attribute(attribute:"synopsis", value:
"The version of Apache POI installed on the remote host is affected by an improper input validation vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Apache POI installed on the remote host is a version prior to 5.4.0. It is, therefore, affected by an 
improper input validation vulnerability. The issue affects the parsing of OOXML format files like xlsx, docx, and pptx. 
These file formats are essentially zip files, and it is possible for malicious users to add zip entries with duplicate 
names (including the path) in the zip. In such cases, products reading the affected file could read different data 
because one of the zip entries with the duplicate name is selected over another, but different products may choose a 
different zip entry. This issue affects Apache POI poi-ooxml before 5.4.0. Version 5.4.0 introduces a check that throws 
an exception if zip entries with duplicate file names are found in the input file.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported
version number.");
  script_set_attribute(attribute:"see_also", value:"https://lists.apache.org/thread/k14w8vcjqy4h34hh5kzldko78kpylkq5");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache POI 5.4.0 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-31672");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/04/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/04/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:poi");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("apache_poi_detect.nbin");
  script_require_keys("installed_sw/Apache POI");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = { 
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {   
      'product': {'name': 'Apache POI', 'type': 'app'},
      'check_algorithm': 'default',
      'requires': [{'scope': 'install', 'contains': {'Component': 'poi-ooxml'}}],
      'constraints': [
        {
            'fixed_version': '5.4.0'
        }
      ]   
    }
  ]
};

var result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING);
vdf::handle_check_and_report_errors(vdf_result:result);

20 Jan 2026 00:00Current

6.4Medium risk

Vulners AI Score6.4

CVSS 3.15.3

EPSS0.00521

SSVC