LibreOffice Flaw Allows Attackers to Run Arbitrary Scripts via Macro URL

A significant security vulnerability in LibreOffice, designated as CVE-2025-1080, has been patched in versions 24.8.5 and 25.2.1, released on March 4, 2025.

The flaw, which allowed attackers to execute arbitrary scripts through manipulated macro URLs, posed a severe risk to users of the open-source office suite.

This vulnerability underscores the importance of prompt software updates in enterprise and personal computing environments.

Technical Breakdown of CVE-2025-1080

The vulnerability stems from LibreOffice’s implementation of Office URI Schemes, a feature designed to facilitate browser integration with Microsoft SharePoint servers.

While this functionality enables seamless document collaboration, researchers identified a critical oversight in LibreOffice’s custom vnd.libreoffice.command URI scheme.

In affected versions (prior to 24.8.5 and 25.2.1), attackers could craft specialized links containing embedded inner URLs.

When clicked, these malicious links bypassed security protocols and triggered internal LibreOffice macros with unauthorized arguments.

Security analyst Amel Bouziane-Leblond, who discovered the vulnerability, noted that “the URI handler failed to properly sanitize nested URL components, creating an execution pipeline for untrusted code.”

This exploitation mechanism could occur without user interaction beyond clicking a link in a web browser.

The flaw effectively transformed ordinary document-sharing workflows into potential attack vectors, particularly dangerous in organizations using SharePoint-integrated collaboration systems.

Mitigation and Patching Requirements

LibreOffice maintainers addressed the vulnerability through enhanced URI validation protocols in the updated releases. The patch introduces multiple security checks:

• Strict schema verification for nested URL components
• Macro execution confirmation dialogs for all command-based URI triggers
• Sandboxing of URI-handler processes

“These changes ensure command URIs adhere to strict formatting rules while maintaining compatibility with legitimate SharePoint integrations,” explained Caolán McNamara of Collabora Productivity, who led the patching effort.

Organizations unable to immediately upgrade should disable LibreOffice’s browser integration features through Group Policy settings or application hardening tools.

This discovery highlights the evolving security challenges in cross-platform productivity software.

Researchers and maintainers urge users to maintain vigilance against social engineering tactics that could amplify technical vulnerabilities.

The coordinated disclosure between independent security researchers and LibreOffice developers demonstrates effective open-source community responses to emerging threats.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free