LibreOffice is a popular open source Office suite that is used by millions of users as an alternative to Microsoft Office. We have followed LibreOffice for almost 15 years here on this blog. The developers of the free tool have just confirmed a new security issue in LibreOffice that affects users on Windows only.

The details:

• LibreOffice 24.8 to 24.8.4 are affected by the issue.
• Attackers may exploit the issue to launch executable files when users activate links in LibreOffice documents.
• The severity is high.

About the vulnerability

LibreOffice documents may contain links. Users may open the links directly by holding down the Ctrl-key before left-clicking on a link. The Office suite includes protections against launching executable files directly from links.

How it is triggered: users do need to actively Ctrl-click on links in LibreOffice documents to trigger the vulnerability.

The vulnerability CVE-2025-0514 is a bypass that allows attackers to create specially crafted documents that contain links that may run executable files on the target system.

LibreOffice explains that the integrated "mechanism could be bypassed by use of non-file URLs that could be interpreted by ShellExecute as Windows file paths".

Good to know: ShellExecute is a Windows function for launching applications.

Solution: install the update to LibreOffice 24.8.5

A new version of LibreOffice was released last week that fixes the security issue by blocking means to circumvent the link protections.

LibreOffice 24.8.5 is available and users are encouraged to install the new version on their devices, especially if they run the software on a Windows PC.

Downloads are provided on the official project website. Note that LibreOffice 24.8.x is the previous stable branch of the open Office suite. You may also download and install LibreOffice 25.2.1, which is the current stable version.

Note that the developers do not mention LibreOffice 25.2.1 in the context of the vulnerability. This suggests that the latest version is also -- likely -- not affected by the vulnerability.