Listen to this Post
How the CVE Works:
Apache POI’s OOXML file parser fails to properly validate duplicate ZIP entries in OOXML files (e.g., .xlsx, .docx, .pptx). Attackers can craft malicious files with duplicate filenames inside the ZIP structure, leading to inconsistent parsing behavior across different tools. Since the parser does not enforce uniqueness, applications may process incorrect data depending on which duplicate entry is selected. This could result in data corruption, unintended code execution, or security bypasses. The vulnerability was patched in poi-ooxml 5.4.0, which now rejects files with duplicate entries.
DailyCVE Form:
Platform: Apache POI
Version: <5.4.0
Vulnerability: Improper Input Validation
Severity: Moderate
Date: 2025-04-10
What Undercode Say:
Exploitation:
1. Craft Malicious OOXML:
zip -r exploit.xlsx duplicate_file.txt duplicate_file.txt
2. Trigger Parsing:
XSSFWorkbook workbook = new XSSFWorkbook(new File("exploit.xlsx"));
Protection:
1. Upgrade:
<dependency> <groupId>org.apache.poi</groupId> <artifactId>poi-ooxml</artifactId> <version>5.4.0</version> </dependency>
2. Pre-Parse Validation:
ZipFile zip = new ZipFile(file);
Set<String> entries = new HashSet<>();
zip.stream().forEach(e -> {
if (!entries.add(e.getName())) throw new SecurityException("Duplicate entry detected");
});
Detection:
1. Scan Dependencies:
mvn dependency:tree | grep poi-ooxml
2. Static Analysis:
grep -r "XSSFWorkbook" src/
Mitigation:
- Reject files with non-standard ZIP structures.
- Use read-only mode for untrusted documents.
- Log parsing failures for auditing.
(End of report. No additional commentary.)
References:
Reported By: https://github.com/advisories/GHSA-gmg8-593g-7mv3
Extra Source Hub:
Undercode
