Cyber Resilience

CVE-2025-27791

High

Published: 15 April 2025

Published
15 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0116 79.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27791 is a high-severity Relative Path Traversal (CWE-23) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Collabora Online, a collaborative online office suite based on LibreOffice technology, is affected by a path traversal vulnerability in versions prior to 24.04.12.4, 23.05.19, and 22.05.25. The flaw resides in the handling of the CheckFileInfo BaseFileName field returned from WOPI servers and is tracked as CWE-23. It permits an arbitrary file write to any location writable by the Collabora Online process UID when a malicious WOPI server supplies the response, and the issue is compounded by a Time-of-Check/Time-of-Use DNS resolution weakness for attacker-controlled WOPI hostnames.

An unauthenticated attacker who can influence or supply a malicious WOPI server response can exploit the combined flaws to write files on the target system. Successful exploitation requires the Collabora Online instance to contact the attacker-controlled WOPI endpoint, after which the path traversal allows placement of attacker-chosen content at arbitrary filesystem locations reachable by the service UID, resulting in high integrity impact and limited availability impact per the CVSS 8.3 rating.

The referenced GitHub Security Advisory GHSA-9j32-gg3j-8w25 and the vendor patches indicate that the issue has been resolved in Collabora Online releases 24.04.13.1, 23.05.19, and 22.05.25. The EPSS score remains flat at a low value of 0.0116 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a…

more

file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References