Apache POI version updated with 5.4.1

krushna.machhi · May 13, 2025, 11:07am

Hi,

We use Jmix 2.1.3 version and vaddin version 24. while creating the new project Jmix provide the library apache poi version 5.2.3 but it is vulnerable

Improper Input Validation:
The vulnerability arises from Apache POI’s parsing of OOXML files (like .xlsx, .docx, .pptx).

Duplicate Zip Entries:
Attackers can insert multiple zip entries with the same filename into a crafted OOXML file.

Inconsistent Data:
When Apache POI parses such files, different products may select different duplicate entries, leading to inconsistent data being extracted.

Affected Version:
Apache POI 5.2.3 is specifically mentioned as being vulnerable.

Fix:
Later versions, particularly 5.4.0 and above, include a fix for this issue.

We are upgraded with apache poi 5.4.0 we getting the issue when we click any of menu or action button the application continuously loading state and we checked in the browser console in network the one of the API status is pending state.

i.gavrilov · May 14, 2025, 11:16am

Hi,

What add-ons do you have in your project?

Also created an issue to update POI version - Update Apache POI version to 5.4.0+ · Issue #4421 · jmix-framework/jmix · GitHub

Regards,
Ivan

krushna.machhi · May 14, 2025, 12:48pm

In which Jmix version this issue fixed will released and when we expected this release? So accordingly we can make necessary changes in our application.

i.gavrilov · May 14, 2025, 12:55pm

Can’t say exactly. I don’t know how serious the issue you faced with POI 5.4.0.
But I think we will aim to 2.6 - in June.

And provide the list of your add-ons - if we will manage to reproduce your issue with upgraded POI maybe we can fix it directly on project side.

Regards,
Ivan