CVE-2025-0514
published 2025-02-25CVE-2025-0514: Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on…
PriorityP336high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.32%
23.4th percentile
Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on activation.This issue affects LibreOffice: from 24.8 before < 24.8.5.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libreoffice | — | — |
| libreoffice | libreoffice | >= 24.8.0.0 < 24.8.5.1 | 24.8.5.1 |
| the_document_foundation | libreoffice | >= 24.8 < < 24.8.5 | < 24.8.5 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.07.2HIGHCVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.2HIGH
vendor_debian7.2LOW
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libreoffice: Executable hyperlink Windows path targets executed unconditionally on activation
vendor_redhat·2025-02-25·CVSS 7.2
CVE-2025-0514 [HIGH] CWE-20 libreoffice: Executable hyperlink Windows path targets executed unconditionally on activation
libreoffice: Executable hyperlink Windows path targets executed unconditionally on activation
Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on activation.This issue affects LibreOffice: from 24.8 before < 24.8.5.
A flaw was found in LibreOffice. LibreOffice has a feature where CTRL+click can activate hyperlinks in a document. In Windows systems, the link can be passed to the system ShellExecute function for handling. LibreOffice uses a mechanism to block paths to executable targets to ShellExecute to avoid attempting to launch executables. In affected versions, this mechanism could be bypassed by using non-file URLs that ShellExecute could interpret as Windows file paths.
Statemen
Debian
CVE-2025-0514: libreoffice - Improper Input Validation vulnerability in The Document Foundation LibreOffice a...
vendor_debian·2025·CVSS 7.2
CVE-2025-0514 [HIGH] CVE-2025-0514: libreoffice - Improper Input Validation vulnerability in The Document Foundation LibreOffice a...
Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on activation.This issue affects LibreOffice: from 24.8 before < 24.8.5.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-f6mr-g7jq-gx82: Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditiona
ghsa_unreviewed·2025-02-26
CVE-2025-0514 [HIGH] CWE-20 GHSA-f6mr-g7jq-gx82: Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditiona
Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on activation.This issue affects LibreOffice: from 24.8 before < 24.8.5.
OSV
CVE-2025-0514: Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditiona
osv·2025-02-25·CVSS 7.2
CVE-2025-0514 [HIGH] CVE-2025-0514: Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditiona
Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on activation.This issue affects LibreOffice: from 24.8 before < 24.8.5.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-25
Published