CVE-2025-14714Authentication Bypass Using an Alternate Path or Channel in Document Foundation Libreoffice

CWE-288Authentication Bypass Using an Alternate Path or Channel6 documents6 sources
Severity
0.9LOWNVD
EPSS
0.0%
top 89.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
THE Document Foundation LibreofficeLibreoffice
Timeline
PublishedDec 15

Description

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on m

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Affected Packages2 packages

NVDlibreoffice/libreoffice25.2.0.125.2.4.1
CVEListV5the_document_foundation/libreoffice25.2< 25.2.4

🔴Vulnerability Details

2
GHSA
GHSA-65c5-j3wr-v7fh: An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Cont2025-12-15
CVEList
TCC Bypass via Inherited Permissions in Bundled Interpreter2025-12-15

📋Vendor Advisories

2
Red Hat
LibreOffice: LibreOffice: Authentication Bypass leading to privilege escalation via bundled interpreter execution2025-12-15
Debian
CVE-2025-14714: libreoffice - An Authentication Bypass vulnerability existed where the application bundled an ...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-14714 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-14714 — LOW severity | cvebase