CVE-2025-1080
Published: 04 March 2025
Summary
CVE-2025-1080 is a high-severity Improper Input Validation (CWE-20) vulnerability in Libreoffice Libreoffice. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-1080 by requiring timely patching of LibreOffice to fixed versions 24.8.5 or 25.2.1 that resolve the URI scheme input validation flaw.
Addresses the core improper input validation (CWE-20) by enforcing checks on 'vnd.libreoffice.command' URI schemes to block malicious embedded URLs triggering macro execution.
Prevents exploitation by restricting or disabling unnecessary LibreOffice features like custom URI scheme handling and automatic internal macro invocation with arbitrary arguments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper input validation flaw in the LibreOffice client application that allows a crafted browser link (vnd.libreoffice.command URI) to invoke internal macros with arbitrary arguments, directly enabling client-side code execution. This maps to T1203 (Exploitation for Client Execution) as the core exploitation of a client software vulnerability and T1204.001 (Malicious Link) as the required user interaction vector to trigger the malicious link.
NVD Description
LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be…
more
constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.
Deeper analysisAI
CVE-2025-1080 is an improper input validation vulnerability (CWE-20) in LibreOffice's handling of the 'vnd.libreoffice.command' URI scheme, added for LibreOffice-specific browser integration alongside standard Office URI schemes for MS SharePoint. This flaw allows a specially crafted link in a browser to embed an inner URL that, when passed to LibreOffice, invokes internal macros with arbitrary arguments. The vulnerability affects LibreOffice versions from 24.8 prior to 24.8.5 and from 25.2 prior to 25.2.1, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker can exploit this vulnerability locally by convincing a user to click a malicious browser link using the 'vnd.libreoffice.command' scheme, requiring user interaction but no privileges. When LibreOffice processes the link, the embedded inner URL triggers execution of internal macros with attacker-supplied arguments, potentially leading to high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution depending on macro capabilities.
LibreOffice's security advisory (https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080) documents the issue and confirms patches in versions 24.8.5 and 25.2.1, urging users to update immediately. The Debian LTS announcement (https://lists.debian.org/debian-lts-announce/2025/06/msg00002.html) addresses backported fixes for affected Debian systems.
Details
- CWE(s)