CVE-2025-64766

Name of the Vulnerable Software and Affected Versions Onlyoffice versions 22.11 through 25.05 Onlyoffice versions prior to Unstable 25.11

Description Onlyoffice is a software suite providing tools for document editing, collaboration, and management. A hard-coded secret within the NixOS module for the OnlyOffice document server was used to protect its file cache. An attacker knowing an existing revision ID could potentially access a document. Obtaining an arbitrary revision ID is considered difficult in practice. The likely impact is access to known documents from users with expired access.

Recommendations Update to version 25.05 or later. Update to NixOS unstable version 25.11 or later.