CVE-2025-27791
Published: 15 April 2025
Summary
CVE-2025-27791 is a high-severity Relative Path Traversal (CWE-23) vulnerability. Its CVSS base score is 8.3 (High).
Operationally, ranked in the top 21.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Collabora Online, a collaborative online office suite based on LibreOffice technology, is affected by a path traversal vulnerability in versions prior to 24.04.12.4, 23.05.19, and 22.05.25. The flaw resides in the handling of the CheckFileInfo BaseFileName field returned from WOPI servers and is tracked as CWE-23. It permits an arbitrary file write to any location writable by the Collabora Online process UID when a malicious WOPI server supplies the response, and the issue is compounded by a Time-of-Check/Time-of-Use DNS resolution weakness for attacker-controlled WOPI hostnames.
An unauthenticated attacker who can influence or supply a malicious WOPI server response can exploit the combined flaws to write files on the target system. Successful exploitation requires the Collabora Online instance to contact the attacker-controlled WOPI endpoint, after which the path traversal allows placement of attacker-chosen content at arbitrary filesystem locations reachable by the service UID, resulting in high integrity impact and limited availability impact per the CVSS 8.3 rating.
The referenced GitHub Security Advisory GHSA-9j32-gg3j-8w25 and the vendor patches indicate that the issue has been resolved in Collabora Online releases 24.04.13.1, 23.05.19, and 22.05.25. The EPSS score remains flat at a low value of 0.0116 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-14833
Vulnerability details
Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a…
more
file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.