Current version 5.2.5 provides transitive vulnerable dependency org.apache.commons:commons-compress:1.25.0. This vulnerability has been fixed in org.apache.commons:commons-compress:1.26.0 https://mvnrepository.com/artifact/org.apache.commons/commons-compress Therefore, the dependency should be updated to new version to avoid the vulnerability.
The vulnerability fixed in commons-compress: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26308
trunk has already been updated to use commons-compress 1.26.0, so this will be in the next release. Users of the current version of POI can override the version used in their Maven or Gradle build files.
POI doesn't even use the pack200 code. POI tests run fine with the latest commons-compress jar. We are not going to expedite a POI release. Feel free to update your build to use a newer commons-compress jar. If you have a POC that demos that POI 5.2.5 is actually affected, please provide it privately using the security guidelines. https://poi.apache.org/security.html