Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64766

CVE-2025-64766: NixOS OnlyOffice Information Disclosure

CVE-2025-64766 is an information disclosure vulnerability in NixOS OnlyOffice caused by a hard-coded secret. Attackers could access cached documents with known revision IDs. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-64766 Overview

CVE-2025-64766 affects the NixOS module for the OnlyOffice document server. The NixOS module shipped a hard-coded secret used to protect the OnlyOffice file cache via an nginx secure_link directive. An attacker who knows a valid document revision ID can use this static secret to sign requests and retrieve cached documents. The issue is tracked under CWE-798: Use of Hard-coded Credentials and was resolved in NixOS unstable 25.11 and stable 25.05.

Critical Impact

An unauthenticated network attacker with a valid revision ID can retrieve documents from the OnlyOffice file cache, including documents belonging to users whose access has since expired.

Affected Products

  • NixOS services.onlyoffice module, versions 22.11 up to (but not including) 25.05
  • NixOS unstable versions before 25.11
  • nixos/modules/services/web-apps/onlyoffice.nix in nixpkgs

Discovery Timeline

  • 2025-11-17 - CVE-2025-64766 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64766

Vulnerability Analysis

The NixOS OnlyOffice module configures nginx to protect cached document requests using the secure_link module. The secure_link mechanism requires a shared secret that is combined with the request URL to produce a signed token. In vulnerable versions, the module defined this secret as the literal string mynonce inside defaultNginxNonceFileContent. Because the value ships in the public nixpkgs source tree, every deployment that relied on the default configuration used the identical secret.

An attacker who obtains a valid revision ID can compute the correct secure_link token offline and issue a request that the OnlyOffice cache treats as legitimate. Access does not require prior authentication to the OnlyOffice service, and the attack works over the network. The primary risk is retrieval of documents that users previously edited, including cases where the original user's access has since been revoked.

Root Cause

The root cause is a hard-coded credential embedded in a NixOS module. The defaultNginxNonceFileContent value defined the secure_link_secret as "mynonce" and rendered it into an nginx configuration file at build time. Operators who did not override the option inherited this well-known secret, defeating the purpose of the signed URL scheme.

Attack Vector

Exploitation is remote and unauthenticated but constrained by knowledge of a valid revision ID. Revision IDs are not published and are difficult to enumerate in practice, which limits opportunistic exploitation. Insiders, former collaborators, or attackers who scraped identifiers from logs, referrer headers, or client-side artifacts are the most plausible actors.

text
// Patch excerpt: nixos/modules/services/web-apps/onlyoffice.nix
 let
   cfg = config.services.onlyoffice;
-  defaultNginxNonceFileContent = "set $secure_link_secret \"mynonce\";";
-  defaultNginxNonceFile = pkgs.writeText "onlyoffice-nonce-nginx.conf" ''
-    ${defaultNginxNonceFileContent}
-  '';
 in
 {
   options.services.onlyoffice = {

Source: NixOS/nixpkgs commit 8e74d05. The patch removes the default and now requires operators to supply a user-generated nonce.

Detection Methods for CVE-2025-64766

Indicators of Compromise

  • Requests to OnlyOffice cache endpoints containing secure_link tokens generated using the string mynonce as the shared secret.
  • Access to document revisions by clients or source IP addresses that were not associated with the original editing session.
  • OnlyOffice cache retrievals for revision IDs belonging to users whose accounts or shares have been disabled.

Detection Strategies

  • Audit the running nginx configuration on OnlyOffice hosts for a secure_link_secret value equal to mynonce or any other default carried over from the vulnerable module.
  • Correlate OnlyOffice document server access logs with the current authorization state to identify retrievals by principals lacking active access.
  • Review nginx access logs for repeated secure_link requests originating from unexpected geographies or user agents.

Monitoring Recommendations

  • Alert on any deployment where the services.onlyoffice module is enabled and the nonce option has not been explicitly set by the operator.
  • Forward OnlyOffice and nginx access logs to a centralized SIEM or data lake for retention and correlation with identity events.
  • Track access to document cache paths and flag hits on revision IDs older than the configured session lifetime.

How to Mitigate CVE-2025-64766

Immediate Actions Required

  • Upgrade nixpkgs to NixOS 25.05 or NixOS unstable 25.11 or later, which remove the default hard-coded nonce.
  • Set a strong, unique value for the OnlyOffice nginx nonce option and store it outside the Nix store using a secrets management mechanism.
  • Rotate any document revision IDs that may have been exposed and revalidate active document shares.

Patch Information

The fix was delivered in nixpkgs pull request #462100 and backported to release-25.05 in pull request #462204. See GHSA-58m4-5wg3-5g5v for the vendor advisory. The patched module removes defaultNginxNonceFileContent and requires operators to supply their own nonce file.

Workarounds

  • If immediate upgrade is not possible, override the nginx nonce configuration to point at a file containing a locally generated random secret (for example, 32 bytes from /dev/urandom).
  • Restrict network access to the OnlyOffice document server so only trusted application front ends can reach the cache endpoints.
  • Reduce the window of exposure by shortening document cache retention on the OnlyOffice server.
bash
# Generate a strong nonce and reference it from the NixOS module
umask 077
printf 'set $secure_link_secret "%s";\n' "$(openssl rand -hex 32)" \
  > /var/lib/onlyoffice/nginx-nonce.conf

# In configuration.nix, point the OnlyOffice module at the file
# services.onlyoffice.nginxNonceFile = "/var/lib/onlyoffice/nginx-nonce.conf";
nixos-rebuild switch

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.