LibreOffice: Windows vulnerability affects links in documents, patch available
LibreOffice is a popular open source Office suite that is used by millions of users as an alternative to Microsoft Office. We have followed LibreOffice for almost 15 years here on this blog. The developers of the free tool have just confirmed a new security issue in LibreOffice that affects users on Windows only.
The details:
- LibreOffice 24.8 to 24.8.4 are affected by the issue.
- Attackers may exploit the issue to launch executable files when users activate links in LibreOffice documents.
- The severity is high.
About the vulnerability
LibreOffice documents may contain links. Users may open the links directly by holding down the Ctrl-key before left-clicking on a link. The Office suite includes protections against launching executable files directly from links.
How it is triggered: users do need to actively Ctrl-click on links in LibreOffice documents to trigger the vulnerability.
The vulnerability CVE-2025-0514 is a bypass that allows attackers to create specially crafted documents that contain links that may run executable files on the target system.
LibreOffice explains that the integrated "mechanism could be bypassed by use of non-file URLs that could be interpreted by ShellExecute as Windows file paths".
Good to know: ShellExecute is a Windows function for launching applications.
Solution: install the update to LibreOffice 24.8.5
A new version of LibreOffice was released last week that fixes the security issue by blocking means to circumvent the link protections.
LibreOffice 24.8.5 is available and users are encouraged to install the new version on their devices, especially if they run the software on a Windows PC.
Downloads are provided on the official project website. Note that LibreOffice 24.8.x is the previous stable branch of the open Office suite. You may also download and install LibreOffice 25.2.1, which is the current stable version.
Note that the developers do not mention LibreOffice 25.2.1 in the context of the vulnerability. This suggests that the latest version is also -- likely -- not affected by the vulnerability.
RECOMMENDED NEWS
Is Dropbox sending user data to OpenAI? There is an opt out!
Dropbox has been caught in a controversy, after users discovered that an experimental AI-feature ha...
MSEdgeRedirect's Europe Mode sets your Windows region to Europe
In the coming months, Windows users from many European countries will be allowed to remove Microsof...
How to enable Chrome's Tracking Protection feature right now
Google picked 1% of all Chrome installations today and enabled a feature called Tracking protection...
Understanding Data Loss Risksāand How to Prevent It
Youāre working on a very important presentation with a deadline looming, and then your computer sei...
OpenAI Launches āDeep Researchā ChatGPTāBut Can It Really Replace Google?
OpenAI has unveiled a new ChatGPT feature called āDeep Research,ā designed to assist users with com...
New Polymorphic Chrome extensions fake others to steal your data
We have seen our fair share of malicious Chrome extensions in the past 17 or so years since Google ...
Comments on "LibreOffice: Windows vulnerability affects links in documents, patch available" :