CVE-2025-14714

NameCVE-2025-14714
DescriptionAn Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libreoffice (PTS)bullseye1:7.0.4-4+deb11u10fixed
bullseye (security)1:7.0.4-4+deb11u13fixed
bookworm4:7.4.7-1+deb12u9fixed
bookworm (security)4:7.4.7-1+deb12u8fixed
trixie4:25.2.3-2+deb13u2fixed
forky, sid4:25.8.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libreofficesource(unstable)(not affected)

Notes

- libreoffice <not-affected> (Only affects LibreOffice on MacOS)
https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714
Search for package or bug name: Reporting problems