Apache OpenOffice Fixes 7 Flaws: Memory Corruption and Unprompted Remote Content Loading

Apache OpenOffice has released a crucial security patch, version 4.1.16, to address a flurry of security vulnerabilities in the leading open-source office suite. The update fixes a total of seven flaws, including an “Important” memory corruption vulnerability and six “Moderate” severity issues that shared a common and dangerous weakness: unauthorized remote content loading.

Users of Apache OpenOffice through version 4.1.15 are strongly recommended to upgrade immediately to version 4.1.16.

The most notable flaw, CVE-2025-64407, allows a specially crafted document to silently steal system information. A Missing Authorization flaw in Apache OpenOffice’s link handling could be exploited. An attacker could craft a document that forces external links to be loaded without prompting the user.

This technique can be used to exfiltrate arbitrary INI file values and environment variables. The documents could use a URI scheme to include system configuration data that is not intended to be transmitted externally.

The most severe flaw by rating is CVE-2025-64406, which carries an “Important” severity tag. An out-of-bounds Write flaw was found during CSV import. An attacker could exploit this by crafting a malicious document that could either crash the program or corrupt other memory areas.

Five additional “Moderate” severity vulnerabilities share a core theme of Missing Authorization, allowing attackers to bypass user prompts when loading remote content.

In all cases, an attacker could craft a document that causes external links to load without prompting the user for permission. This “stealth-mode” loading could be used for reconnaissance or to load malicious payloads via the following features:

• CVE-2025-64405: Remote documents loaded without prompt via the DDE (Dynamic Data Exchange) function in Calc spreadsheets.
• CVE-2025-64404: Remote documents loaded without prompt via background fill or bullet images.
• CVE-2025-64403: Remote documents loaded without prompt via “external data sources” in Calc spreadsheets.
• CVE-2025-64402: Remote documents loaded without prompt via OLE (Object Linking and Embedding) objects.
• CVE-2025-64401: Remote documents loaded without prompt via IFrame (“floating frames”).

The Apache OpenOffice Project advises all users to upgrade to version 4.1.16 to apply the fixes for all these issues.

Related Posts:

• Patch Up Your OpenOffice: Four Vulnerabilities You Don’t Want to Ignore
• CVE-2022-47502: RCE security vulnerability in Apache OpenOffice
• Urgent Firefox Alert: Critical Memory Corruption Flaws (CVSS 9.8) Allow Remote Code Execution
• Critical Flaws in AI Browse Agents: Exposed to Credential Theft and Hijacking
• Microsoft releases January Patch Tuesday to fix 56 security issues
• Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update