CVE-2025-1080

NameCVE-2025-1080
DescriptionLibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5873-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libreoffice (PTS)bullseye1:7.0.4-4+deb11u10vulnerable
bullseye (security)1:7.0.4-4+deb11u12vulnerable
bookworm4:7.4.7-1+deb12u5vulnerable
bookworm (security)4:7.4.7-1+deb12u7fixed
trixie4:24.8.5-2fixed
sid4:25.2.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libreofficesourcebookworm4:7.4.7-1+deb12u7DSA-5873-1
libreofficesource(unstable)4:24.8.5-1

Notes

https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080
https://gerrit.libreoffice.org/c/core/+/181016
Fixed by: https://git.libreoffice.org/core/commit/7105fb698f897ddb38bd60315444c07356689e14
Search for package or bug name: Reporting problems