• About Us /
• Security /
• Security Advisories /
• CVE-2025-0514

CVE-2025-0514

Title: Executable hyperlink Windows path targets executed unconditionally on activation

Announced: February 25, 2025

Fixed in: LibreOffice 24.8.5

Description:

LibreOffice has a feature where hyperlinks in a document can be activated by CTRL+click. Under Windows the link can be passed to the system ShellExecute function for handling. LibreOffice uses a mechanism to block paths to executable targets to ShellExecute to avoid attempting to launch executables.

In versious < 24.8.5 this mechanism could be bypassed by use of non-file URLs that could be interpreted by ShellExecute as Windows file paths.

In the fixed versions this circumvention has been blocked. All Windows users are recommended to upgrade to LibreOffice >= 24.8.5.

Credits:

• Thanks to Amel Bouziane-Leblond for finding and reporting this issue.
• Thanks to Caolán McNamara of Collabora Productivity and Stephen Bergman of allotropia for providing a fix.
  
  

References:

    CVE-2025-0514