CVE-2025-64407 Overview
CVE-2025-64407 is a missing authorization vulnerability in Apache OpenOffice that allows crafted documents to load external links without user prompting. The flaw affects a specific Uniform Resource Identifier (URI) scheme that references external files. When triggered, OpenOffice loads the linked content and can transmit system configuration data, such as environment variables, to an attacker-controlled endpoint. The issue is tracked under [CWE-201] Information Exposure Through Sent Data and [CWE-862] Missing Authorization. All Apache OpenOffice releases through 4.1.15 are affected. The LibreOffice project reported the same underlying issue as CVE-2024-12426.
Critical Impact
Attackers can craft documents that silently exfiltrate local system configuration and environment data when opened by a victim.
Affected Products
- Apache OpenOffice versions through 4.1.15
- Apache OpenOffice on all supported operating systems
- Documents referencing the vulnerable URI scheme
Discovery Timeline
- 2025-11-12 - CVE-2025-64407 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64407
Vulnerability Analysis
Apache OpenOffice supports embedded links inside documents. Under normal handling, external resources should require user confirmation before being fetched. This vulnerability breaks that expectation for a specific URI scheme. When a document references external files through the affected scheme, OpenOffice loads the target content automatically. No prompt is shown, and no authorization check runs before the request executes.
The linked resource can resolve to system configuration values, environment variables, or other local settings. Because the request is initiated by the OpenOffice process, the returned data may be embedded back into the document view or transmitted to an attacker-controlled destination via the same link handling logic. This creates an information disclosure channel that requires only that a victim open a crafted document.
Root Cause
The root cause is a missing authorization check [CWE-862] in the link resolution logic. OpenOffice does not enforce a user consent step for the vulnerable URI scheme before dereferencing the target. The affected scheme also allows inclusion of system configuration data that was never intended to be transmitted outside the local environment, producing the information exposure condition captured by [CWE-201].
Attack Vector
The attack requires an attacker to deliver a crafted OpenOffice document through email, file sharing, or a web download. Upon opening the document, OpenOffice silently resolves the embedded external link. User interaction is limited to opening the file, and no additional privileges are required. See the OpenOffice CVE-2025-64407 advisory and the Apache mailing list discussion for vendor technical details.
Detection Methods for CVE-2025-64407
Indicators of Compromise
- Outbound network connections from soffice.exe, soffice.bin, or related OpenOffice binaries to untrusted external hosts shortly after document open events
- Document files containing the vulnerable URI scheme referencing external file paths or remote resources
- Unexpected DNS queries or HTTP requests initiated by OpenOffice processes to attacker-controlled infrastructure
Detection Strategies
- Inspect .odt, .ods, .odp, and other OpenOffice document formats for embedded links using the affected URI scheme before distribution or opening
- Correlate OpenOffice process execution with subsequent outbound network activity on endpoint telemetry
- Alert on OpenOffice processes accessing sensitive local paths such as environment configuration files immediately followed by network egress
Monitoring Recommendations
- Track installed Apache OpenOffice versions across the estate and flag any host running 4.1.15 or earlier
- Monitor endpoint DNS and HTTP telemetry for OpenOffice-initiated requests to non-corporate domains
- Log document open events for OpenOffice on high-value user workstations to support post-incident review
How to Mitigate CVE-2025-64407
Immediate Actions Required
- Upgrade Apache OpenOffice to version 4.1.16 on all affected endpoints as the primary remediation
- Block or quarantine OpenOffice documents received from untrusted external senders until patching is complete
- Restrict outbound network access from OpenOffice processes at the host firewall where operationally feasible
Patch Information
Apache has released Apache OpenOffice 4.1.16, which fixes CVE-2025-64407 by enforcing authorization on the affected URI scheme. Users of 4.1.15 and earlier must upgrade. Refer to the OpenOffice security advisory for download and verification instructions.
Workarounds
- Avoid opening OpenOffice documents from untrusted sources until the 4.1.16 upgrade is applied
- Use network-level egress controls to prevent OpenOffice from reaching arbitrary external hosts
- Consider using an alternative office suite in isolated environments for handling untrusted documents while patching is in progress
# Verify installed Apache OpenOffice version on Linux
soffice --version
# Expected output after remediation:
# OpenOffice 4.1.16
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

