From da4e87d97f1050009223dfee427d46bbb15d2b06 Mon Sep 17 00:00:00 2001
From: Gerard Olenski <31597546+gerardolenski@users.noreply.github.com>
Date: Wed, 18 Jun 2025 15:43:45 +0200
Subject: [PATCH] PRODSEC-10088 Fix CVE Vulnerability CVE-2025-31672 in
 poi-ooxml-5.2.5.jar (#1085)

---
 pom.xml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 42fca363..ca7137ed 100644
--- a/pom.xml
+++ b/pom.xml
@@ -26,11 +26,10 @@
         <env.project_version>${project.version}</env.project_version>
         <dependency.jackson.version>2.18.2</dependency.jackson.version>
         <dependency.tika.version>2.9.2</dependency.tika.version>
-        <dependency.poi.version>5.2.5</dependency.poi.version>
+        <dependency.poi.version>5.4.1</dependency.poi.version>
+        <dependency.commons-io.version>2.19.0</dependency.commons-io.version>
         <dependency.imaging.version>1.0.0-alpha5</dependency.imaging.version>
         <dependency.snakeyaml.version>2.3</dependency.snakeyaml.version>
-        <!-- The override can be removed when logback version in spring-boot-starter-parent is updated and free of vulnerabilities -->
-        <logback.version>1.5.16</logback.version>
         <!--The override can be removed when transitive (from tika) bouncycastle dependency is free of vulnerabilities-->
         <dependency.bouncycastle.version.override>1.79</dependency.bouncycastle.version.override>
 
@@ -137,6 +136,11 @@
 
     <dependencyManagement>
         <dependencies>
+            <dependency>
+                <groupId>commons-io</groupId>
+                <artifactId>commons-io</artifactId>
+                <version>${dependency.commons-io.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bcmail-jdk18on</artifactId>