Apache POI™ - Security guidance
Overview

This page provides some guidance about how Apache POI can be used in security-sensible areas.

Information about related security vulnerabilities

Information about security issues is included in the Project News.

Reporting security vulnerabilities

Apache POI will try to fix security-related bugs with priority.

Please follow the general Apache Security Guidelines for proper handling.

But please note that by the nature of processing external files, you should design your application in a way which limits impact of malicious documents as much as possible. The higher your security-related requirements are, the more you likely need to invest in your application to contain effects.

Architecting your Application

If you are processing documents from an untrusted source, you should add a number of safeguards to your application to contain any unexpected side effects.

Apache POI cannot fully protect against some documents causing impact on the current process, therefore we suggest the following additional layers of security.