XXE Vulnerability in Excel Streaming Reader Java Library

The Java library Excel Streaming Reader was found to be vulnerable to XML External Entity attacks during a recent penetration test we performed for a client who was using it.

Excel Streaming Reader provides a memory efficient way to consume large Excel files for processing by your application and wraps the Apache POI library.


Version 2.0.0 and below was confirmed to be vulnerable to XXE due to insecure default usage of the Apache Xerces XML parser. I’ve blogged separately about exploiting XXE via Excel file uploads to keep this post briefer.

I contacted the developer of this library, Taylor Jones, via email on Friday 10th November and received a response almost immediately. A fix was committed privately later that day and I was invited to verify the fix over the weekend. It looked good and version 2.1.0 was released on Sunday 11th November 2018 and is now available on Maven Central.

All users are naturally encouraged to upgrade.


As a final note, Taylor was extremely responsive to resolving this issue and I also quite like the test he wrote for this bug. You can check it out in the diffs but he throws up his own mini-HTTP server to test for out-of-band connections. A great example of how you can build security tests into your CI pipeline.