The Document Foundation has released security updates for LibreOffice to address a vulnerability that could allow attackers to execute arbitrary scripts. The vulnerability, tracked as CVE-2025-1080 and assigned a CVSS score of 7.2, affects LibreOffice versions prior to 24.8.5 and 25.2.1.
The flaw stems from LibreOffice’s support for Office URI Schemes, a feature designed to enable browser integration with platforms like Microsoft SharePoint. “An additional scheme ‘vnd.libreoffice.command’ specific to LibreOffice was added,” explains the security advisory. This scheme, however, could be manipulated to execute malicious code.
“In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments,” the advisory elaborates. This essentially means that an attacker could craft a malicious link that, when clicked by a LibreOffice user, would trigger the execution of malicious macros.
This vulnerability poses a significant risk, as arbitrary script execution can lead to a variety of malicious activities, including data theft, malware installation, and system compromise. The Document Foundation urges all users to upgrade to LibreOffice 24.8.5 or 25.2.1 to mitigate this risk. “In the fixed versions this circumvention has been blocked,” assures the advisory.
The vulnerability was discovered by Amel Bouziane-Leblond, who responsibly reported the issue to The Document Foundation.
Users are encouraged to apply the latest security updates promptly to ensure their systems remain protected.
