Critical vulnerabilities in LibreOffice (CVE-2024-12425 and CVE-2024-12426) allow attackers to overwrite arbitrary files and retrieve sensitive system data via malicious documents.
These flaws affect both desktop users and server-side implementations, posing significant risks to enterprises and individual users relying on the open-source Office suite.
CVE-2024-12425: Path Traversal via Embedded Fonts
According to Codean Labs, the vulnerability originates from improper sanitization of user-supplied font names in OpenDocument XML files.
.png
)
When processing embedded fonts, LibreOffice constructs temporary file paths using unsanitized svg:font-family values from document metadata.
Attackers can exploit this by injecting path traversal sequences into font declarations, allowing arbitrary .ttf file writes outside the designated temporary directory.
For example, a malicious .fodt file containing the following XML snippet writes a font to passwd0.ttf:
While the .ttf extension limits immediate code execution, this flaw enables server-side attacks by overwriting web application files or configuration scripts.
CVE-2024-12426: Variable Expansion and INI File Exfiltration
The second vulnerability leverages LibreOffice’s handling of the vnd.sun.star.expand the URI scheme, which supports recursive variable substitution.
Attackers can craft documents that extract environment variables, configuration files, or secrets via manipulated URLs. For instance:
This scheme parses INI files laxly, enabling exfiltration from non-INIs like .bash_history or SQLite databases. A proof-of-concept attack demonstrated the theft of WordPress password-reset tokens from Thunderbird emails, allowing account takeover.
Vulnerability Impact
- Desktop Users: Malicious documents can exfiltrate $HOME paths, shell histories, or application secrets (e.g., AWS credentials).
- Server Deployments: Headless LibreOffice instances used for document conversion are vulnerable to web-shell deployment via arbitrary writes or SSRF attacks.
- Cross-Platform Threats: The vulnerabilities persist across Linux, Windows, and macOS installations.
Mitigation and Patches
LibreOffice released patches in versions 24.8.4 (Enterprise) and 7.6.5 (Community).
Key remediation steps include:
- Apply patches to all desktop and server installations.
- Sanitize LibreOffice-processed documents in web applications.
- Restrict LibreOffice’s access to sensitive directories using SELinux/AppArmor.
These vulnerabilities underscore the risks of complex document-processing ecosystems.
While LibreOffice’s open-source nature facilitates rapid patching, organizations must prioritize update workflows and runtime protections.
For enterprises, integrating security tools like intrusion detection systems (IDS) to monitor LibreOffice’s file operations is critical. As document-based attacks evolve, proactive defense mechanisms remain indispensable.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
