CVE-2025-27791 Overview
CVE-2025-27791 is a path traversal vulnerability [CWE-23] in Collabora Online, a collaborative office suite based on LibreOffice technology. The flaw exists in how Collabora Online processes the BaseFileName field returned by Web Application Open Platform Interface (WOPI) servers during CheckFileInfo responses. A malicious WOPI server can supply a crafted BaseFileName value that escapes the intended directory and writes files to arbitrary locations accessible by the Collabora Online process user. Attackers can chain this with a Time-of-Check Time-of-Use (TOCTOU) DNS resolution issue to redirect a Collabora instance to an attacker-controlled WOPI server. Versions prior to 24.04.12.4, 23.05.19, and 22.05.25 are affected.
Critical Impact
A remote attacker controlling a WOPI server response can write files anywhere the Collabora Online service can write, enabling code execution or configuration tampering.
Affected Products
- Collabora Online versions prior to 24.04.12.4
- Collabora Online versions prior to 23.05.19
- Collabora Online versions prior to 22.05.25
Discovery Timeline
- 2025-04-15 - CVE-2025-27791 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-27791
Vulnerability Analysis
The vulnerability resides in the WOPI client logic inside Collabora Online. When Collabora Online retrieves file metadata from a WOPI host, the server returns a JSON response containing a BaseFileName field. Collabora Online uses this value to construct file paths without sufficient sanitization for directory traversal sequences. A response containing path separators or .. segments in BaseFileName causes Collabora Online to write content outside the intended document directory. The result is arbitrary file write under the privileges of the user running the coolwsd service.
The attack becomes practical when combined with a TOCTOU DNS lookup issue. Collabora Online resolves WOPI host addresses at one point and connects later, allowing an attacker who controls DNS responses to swap a trusted WOPI host for a malicious one between validation and use. The integrity impact is significant, while confidentiality and availability impact remain limited.
Root Cause
The root cause is insufficient input validation on the BaseFileName field of the WOPI CheckFileInfo response. Collabora Online treats the value as a trusted filename and concatenates it into a destination path. The code does not strip directory separators or reject relative path components, classifying the defect under [CWE-23] Relative Path Traversal.
Attack Vector
Exploitation requires network access and the ability to influence which WOPI server a Collabora Online instance contacts. The attacker hosts a malicious WOPI endpoint that responds to CheckFileInfo with a BaseFileName containing traversal sequences. Using the TOCTOU DNS issue, the attacker causes the Collabora Online server to consult the malicious host even when an allow-list of legitimate WOPI hosts is configured. Successful exploitation writes attacker-controlled bytes to a chosen path, which can be leveraged to overwrite configuration files, plant scripts in executable locations, or replace document templates. See the GitHub Security Advisory GHSA-9j32-gg3j-8w25 for technical details.
Detection Methods for CVE-2025-27791
Indicators of Compromise
- Unexpected files written outside the Collabora Online document storage directory, owned by the cool or lool service account.
- WOPI CheckFileInfo responses in logs containing .., forward slashes, or backslashes in the BaseFileName field.
- DNS query patterns from the Collabora Online host that resolve a trusted WOPI hostname to multiple distinct IP addresses within a short interval.
- Outbound HTTPS connections from coolwsd to WOPI hosts not present in the configured allow-list.
Detection Strategies
- Inspect coolwsd access logs for CheckFileInfo requests followed by file write operations to non-document paths.
- Compare DNS resolution results for configured WOPI hosts against an authoritative baseline to detect spoofing.
- Enable file integrity monitoring on the Collabora Online installation directory, configuration files, and home directory of the service account.
Monitoring Recommendations
- Forward coolwsd logs and host audit logs to a centralized analytics platform for correlation of WOPI traffic with filesystem events.
- Alert on process executions spawned by coolwsd outside of the standard LibreOffice conversion binaries.
- Monitor egress traffic from Collabora Online servers and block connections to WOPI hosts that are not explicitly trusted.
How to Mitigate CVE-2025-27791
Immediate Actions Required
- Upgrade Collabora Online to version 24.04.13.1, 23.05.19, or 22.05.25 or later, depending on the deployed branch.
- Restrict the WOPI host allow-list in coolwsd.xml to a minimal set of trusted document hosts.
- Run the coolwsd service as an unprivileged user with no write access outside its required directories.
Patch Information
Collabora released fixes in versions 24.04.13.1, 23.05.19, and 22.05.25. The patched releases validate the BaseFileName value returned by WOPI servers and reject path separators. Administrators should consult the Collabora Online Security Advisory GHSA-9j32-gg3j-8w25 and apply distribution packages from official repositories.
Workarounds
- Place Collabora Online behind a network policy that allows outbound HTTPS only to known WOPI hosts by IP address, defeating the DNS swap technique.
- Pin DNS resolution for configured WOPI hosts using /etc/hosts or an internal authoritative resolver to prevent TOCTOU substitution.
- Apply mandatory access control profiles such as AppArmor or SELinux to confine coolwsd write access to its document directories.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
