LibreOffice: Manipulated documents can inject commands into Windows

There is a security vulnerability in LibreOffice that attackers can abuse with manipulated links in documents. This allows them to call up executable files under Windows and potentially cause damage. An updated version of the office software suite is available for download that closes the gap.

The developers of LibreOffice have issued a security advisory discussing the issue. The software supports a function that allows hyperlinks in documents to be opened directly with a click while holding down the “Ctrl” key. Under Windows, it is possible for a link to be passed to the ShellExecute system function for further processing. A mechanism in LibreOffice is designed to block paths to executable files that are passed to ShellExecute to prevent executable files from being called.

Bypassing the security mechanism is possible

Attackers can bypass this security mechanism with carefully prepared links in documents. This is achieved by using non-file URLs that can be interpreted by ShellExecute as Windows file paths(CVE-2025-0514, CVSS 7.2, risk “high”). However, the LibreOffice developers do not discuss what such links would look like and how to recognize whether this vulnerability is being abused.

The bug-fixed versions block such circumvention attempts. LibreOffice from version 24.8 is affected. 24.8.5, which has been available for a few days, and newer versions no longer have this bug. The LibreOffice developers recommend that Windows users in particular update to this or newer versions. It can be downloaded from the LibreOffice download page.

A security vulnerability in LibreOffice last became known last September. There, the repair function for damaged files in ZIP format had caused digital signatures to be considered valid even though they were defective.

(dmk)