Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64407

CVE-2025-64407: Apache OpenOffice Info Disclosure Flaw

CVE-2025-64407 is an information disclosure vulnerability in Apache OpenOffice that allows attackers to extract system data via malicious documents. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-64407 Overview

CVE-2025-64407 is a missing authorization vulnerability in Apache OpenOffice that allows crafted documents to load external links without user prompting. The flaw affects a specific Uniform Resource Identifier (URI) scheme that references external files. When triggered, OpenOffice loads the linked content and can transmit system configuration data, such as environment variables, to an attacker-controlled endpoint. The issue is tracked under [CWE-201] Information Exposure Through Sent Data and [CWE-862] Missing Authorization. All Apache OpenOffice releases through 4.1.15 are affected. The LibreOffice project reported the same underlying issue as CVE-2024-12426.

Critical Impact

Attackers can craft documents that silently exfiltrate local system configuration and environment data when opened by a victim.

Affected Products

  • Apache OpenOffice versions through 4.1.15
  • Apache OpenOffice on all supported operating systems
  • Documents referencing the vulnerable URI scheme

Discovery Timeline

  • 2025-11-12 - CVE-2025-64407 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64407

Vulnerability Analysis

Apache OpenOffice supports embedded links inside documents. Under normal handling, external resources should require user confirmation before being fetched. This vulnerability breaks that expectation for a specific URI scheme. When a document references external files through the affected scheme, OpenOffice loads the target content automatically. No prompt is shown, and no authorization check runs before the request executes.

The linked resource can resolve to system configuration values, environment variables, or other local settings. Because the request is initiated by the OpenOffice process, the returned data may be embedded back into the document view or transmitted to an attacker-controlled destination via the same link handling logic. This creates an information disclosure channel that requires only that a victim open a crafted document.

Root Cause

The root cause is a missing authorization check [CWE-862] in the link resolution logic. OpenOffice does not enforce a user consent step for the vulnerable URI scheme before dereferencing the target. The affected scheme also allows inclusion of system configuration data that was never intended to be transmitted outside the local environment, producing the information exposure condition captured by [CWE-201].

Attack Vector

The attack requires an attacker to deliver a crafted OpenOffice document through email, file sharing, or a web download. Upon opening the document, OpenOffice silently resolves the embedded external link. User interaction is limited to opening the file, and no additional privileges are required. See the OpenOffice CVE-2025-64407 advisory and the Apache mailing list discussion for vendor technical details.

Detection Methods for CVE-2025-64407

Indicators of Compromise

  • Outbound network connections from soffice.exe, soffice.bin, or related OpenOffice binaries to untrusted external hosts shortly after document open events
  • Document files containing the vulnerable URI scheme referencing external file paths or remote resources
  • Unexpected DNS queries or HTTP requests initiated by OpenOffice processes to attacker-controlled infrastructure

Detection Strategies

  • Inspect .odt, .ods, .odp, and other OpenOffice document formats for embedded links using the affected URI scheme before distribution or opening
  • Correlate OpenOffice process execution with subsequent outbound network activity on endpoint telemetry
  • Alert on OpenOffice processes accessing sensitive local paths such as environment configuration files immediately followed by network egress

Monitoring Recommendations

  • Track installed Apache OpenOffice versions across the estate and flag any host running 4.1.15 or earlier
  • Monitor endpoint DNS and HTTP telemetry for OpenOffice-initiated requests to non-corporate domains
  • Log document open events for OpenOffice on high-value user workstations to support post-incident review

How to Mitigate CVE-2025-64407

Immediate Actions Required

  • Upgrade Apache OpenOffice to version 4.1.16 on all affected endpoints as the primary remediation
  • Block or quarantine OpenOffice documents received from untrusted external senders until patching is complete
  • Restrict outbound network access from OpenOffice processes at the host firewall where operationally feasible

Patch Information

Apache has released Apache OpenOffice 4.1.16, which fixes CVE-2025-64407 by enforcing authorization on the affected URI scheme. Users of 4.1.15 and earlier must upgrade. Refer to the OpenOffice security advisory for download and verification instructions.

Workarounds

  • Avoid opening OpenOffice documents from untrusted sources until the 4.1.16 upgrade is applied
  • Use network-level egress controls to prevent OpenOffice from reaching arbitrary external hosts
  • Consider using an alternative office suite in isolated environments for handling untrusted documents while patching is in progress
bash
# Verify installed Apache OpenOffice version on Linux
soffice --version

# Expected output after remediation:
# OpenOffice 4.1.16

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.