Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27791

CVE-2025-27791: Collabora Online Path Traversal Flaw

CVE-2025-27791 is a path traversal vulnerability in Collabora Online that allows attackers to write files to arbitrary locations. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-27791 Overview

Collabora Online is a collaborative online office suite built on LibreOffice technology. CVE-2025-27791 is a path traversal vulnerability [CWE-23] in how Collabora Online processes the BaseFileName field returned by Web Application Open Platform Interface (WOPI) servers in CheckFileInfo responses. A malicious WOPI server can supply a crafted BaseFileName that causes Collabora Online to write a file to any location writable by the running user identifier (UID). Attackers can chain this flaw with a Time-of-Check Time-of-Use (TOCTOU) Domain Name System (DNS) lookup issue to direct the application to an attacker-controlled WOPI endpoint. The flaw affects versions before 24.04.12.4, 23.05.19, and 22.05.25.

Critical Impact

Remote attackers can write arbitrary files within the privilege scope of the Collabora Online process, enabling configuration tampering, code drop, and potential remote code execution.

Affected Products

  • Collabora Online versions prior to 24.04.12.4
  • Collabora Online versions prior to 23.05.19
  • Collabora Online versions prior to 22.05.25

Discovery Timeline

  • 2025-04-15 - CVE-2025-27791 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-27791

Vulnerability Analysis

The vulnerability resides in the handling of the BaseFileName field from WOPI CheckFileInfo responses. Collabora Online trusts the value returned by the WOPI server and uses it to construct file paths without normalizing or validating traversal sequences. A response containing ../ segments or absolute paths is processed as-is. The resulting file write occurs under the UID of the Collabora Online process, so any directory writable by that user becomes a viable target. Exploitation can drop payloads into application configuration directories, web roots, or scheduled task locations, depending on deployment context. The path traversal weakness is classified as [CWE-23] (Relative Path Traversal).

Root Cause

The root cause is missing input validation on the BaseFileName attribute returned from external WOPI servers. The application treats remote metadata as trustworthy and concatenates it into local filesystem paths without canonicalization.

Attack Vector

The attack requires the Collabora Online instance to communicate with a WOPI server controlled by the attacker. Because direct attacker control of the configured WOPI host is unlikely, the advisory describes chaining the flaw with a TOCTOU DNS lookup issue. The attacker manipulates DNS responses so that the WOPI hostname resolves to a legitimate endpoint during initial validation, then resolves to an attacker-controlled host when the actual WOPI request is issued. The malicious server then returns a CheckFileInfo response with a traversal-laden BaseFileName. For technical details, see the Collabora Online GitHub Security Advisory.

Detection Methods for CVE-2025-27791

Indicators of Compromise

  • Files written outside expected Collabora document directories by the coolwsd process or the Collabora UID.
  • WOPI CheckFileInfo responses in proxy or application logs containing .., /, or absolute paths in the BaseFileName value.
  • DNS resolutions for configured WOPI hostnames returning multiple, inconsistent IP addresses within short timeframes.

Detection Strategies

  • Inspect outbound WOPI HTTP responses at a reverse proxy and alert on BaseFileName values containing path separators or traversal sequences.
  • Monitor filesystem activity for the Collabora Online service account writing outside its document storage path.
  • Correlate DNS query responses for WOPI host configurations against expected IP ranges and flag deviations consistent with DNS rebinding.

Monitoring Recommendations

  • Enable verbose logging in coolwsd.xml and forward logs to a centralized logging or SIEM platform for CheckFileInfo response auditing.
  • Audit the Collabora Online host filesystem for unexpected changes under user-writable paths, including SSH configuration files and cron directories.
  • Track outbound connections from Collabora Online hosts and validate that only approved WOPI endpoints are contacted.

How to Mitigate CVE-2025-27791

Immediate Actions Required

  • Upgrade Collabora Online to version 24.04.13.1, 23.05.19, or 22.05.25 or later, matching your release branch.
  • Restrict the configured WOPI host allowlist to trusted, internally controlled servers.
  • Run the Collabora Online process under a low-privilege UID with a restrictive filesystem scope.

Patch Information

The issue is patched in Collabora Online versions 24.04.13.1, 23.05.19, and 22.05.25. Refer to the Collabora Online GitHub Security Advisory GHSA-9j32-gg3j-8w25 for upstream fix details and release notes.

Workarounds

  • Place Collabora Online behind a reverse proxy that strips or rejects WOPI CheckFileInfo responses containing path separators in BaseFileName.
  • Use a local DNS resolver with response pinning or short TTL caching controls to mitigate TOCTOU DNS rebinding against WOPI hostnames.
  • Apply mandatory access controls such as SELinux or AppArmor profiles to confine the Collabora Online process to its document storage directory.
bash
# Configuration example: restrict allowed WOPI hosts in coolwsd.xml
<storage>
  <wopi allow="true">
    <host allow="true">wopi.internal.example.com</host>
    <host allow="false">.*</host>
  </wopi>
</storage>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.