CVE-2025-1080

Name of the Vulnerable Software and Affected Versions LibreOffice versions 24.8 through 24.8.4 LibreOffice versions 25.2 through 25.2.0

Description The issue affects LibreOffice's integration with MS SharePoint server, where an additional scheme 'vnd.libreoffice.command' was added to support Office URI Schemes. In the affected versions, a link in a browser using this scheme could be constructed with an embedded inner URL that, when passed to LibreOffice, could call internal macros with arbitrary arguments. This allows attackers to execute arbitrary scripts, potentially leading to remote code execution attacks. The flaw bypasses existing security measures by targeting document collaboration workflows. Millions of users are at risk, particularly those relying on hybrid office solutions.

Recommendations For LibreOffice versions 24.8 through 24.8.4, update to version 24.8.5 or later. For LibreOffice versions 25.2 through 25.2.0, update to version 25.2.1 or later. As a temporary workaround, consider disabling the use of the 'vnd.libreoffice.command' scheme until a patch is available. Restrict access to internal macros to minimize the risk of exploitation.