LibreOffice: Windows vulnerability affects links in documents, patch available
LibreOffice is a popular open source Office suite that is used by millions of users as an alternative to Microsoft Office. We have followed LibreOffice for almost 15 years here on this blog. The developers of the free tool have just confirmed a new security issue in LibreOffice that affects users on Windows only.
The details:
- LibreOffice 24.8 to 24.8.4 are affected by the issue.
- Attackers may exploit the issue to launch executable files when users activate links in LibreOffice documents.
- The severity is high.
About the vulnerability
LibreOffice documents may contain links. Users may open the links directly by holding down the Ctrl-key before left-clicking on a link. The Office suite includes protections against launching executable files directly from links.
How it is triggered: users do need to actively Ctrl-click on links in LibreOffice documents to trigger the vulnerability.
The vulnerability CVE-2025-0514 is a bypass that allows attackers to create specially crafted documents that contain links that may run executable files on the target system.
LibreOffice explains that the integrated "mechanism could be bypassed by use of non-file URLs that could be interpreted by ShellExecute as Windows file paths".
Good to know: ShellExecute is a Windows function for launching applications.
Solution: install the update to LibreOffice 24.8.5
A new version of LibreOffice was released last week that fixes the security issue by blocking means to circumvent the link protections.
LibreOffice 24.8.5 is available and users are encouraged to install the new version on their devices, especially if they run the software on a Windows PC.
Downloads are provided on the official project website. Note that LibreOffice 24.8.x is the previous stable branch of the open Office suite. You may also download and install LibreOffice 25.2.1, which is the current stable version.
Note that the developers do not mention LibreOffice 25.2.1 in the context of the vulnerability. This suggests that the latest version is also -- likely -- not affected by the vulnerability.
A week later, there still hasn’t been an update to the portable version, latest portable on both PortableApps and LibreOffice website is still 24.8.2.
This is pretty typical of the support portable apps get.
I was pleased to find that my Portable Apps LibreOffice 24.8.4 updated itself to 24.8.5.2 without my seeking an update.
Screenshot: https://snipboard.io/KzpSmd.jpg
As of today, latest portable version on LibreOffice site is still 24.8.2: https://www.libreoffice.org/download/portable-versions/
Latest portable verion on PortableApps site is still 24.8.2: https://portableapps.com/apps/office/libreoffice_portable
So it might be entertaining to figure out where your update came from.
“You may also download and install LibreOffice 25.2.1, which is the current stable version.”
Currently running here LibreOffice 25.2.1.2 with no problem at all, stable and fast as hell.
Yes, this does NOT apply if you are on the current version. Running old versions of software leaves you vulnerable — well, duh!
But annoying that one had to read so far in this article to discover that it only applied to obsolete versions. Makes this article seem rather clickbaitey.
As usual, no update yet for portable version. As of now, latest available is 24.8.2.
This is a problem with portable apps in general. They get updates days-to-weeks later than the installers.
Jung’s synchronicity–going through my laptop a couple of days ago uninstalling those programs I haven’t used in years and updating others. Libre was updated to 25.2–amazing how much clutter accumulates in different ways–mental clutter, computer hardware clutter, software clutter, furniture clutter–on and on. Shoes! Wow, why so many shoes? I have enough shoes to fill a landfill. [But I may wear that pair one more time, so even think “give away.]
Jung’s synchronicity is not applicable to this specific situation.
Synchronicity is a concept introduced by founder of analytical psychology Carl Jung to describe events that coincide in time and appear meaningfully related, yet lack a discoverable causal connectio
In this case, no causal connection on my side; I just happened to be updating and doing computer cleaning when I discover a few days later that there was a meaningful, yet unknown to me reason, why this sudden urge to declutter my laptop occurred.
Serendipitious? I think not.
Freedom is not enough for the human health if no food and water are provided.
Whoever has ears, let him listen.
One can have no health–physical, mental, or spiritual–without freedom. Feed, clothe, and provide water for the body; without Freedom, a person will soon wilt and die. Happens on the “inside” quite frequently.
“Give me Liberty; or give me Death.” All the “health” in the world without Freedom is meaningless.
Freedom, freedom, freedom, as rights, rights, rights are meaningless if conceived as mine, mine only and whatever this implies on freedom and rights of my neighbor.
Nowadays people always mention their rights and seldom their duties. My freedom, my rights … OK OK OK.
Of course nothing of value can be achieved without freedom, but many bad things can be achieved when freedom is conceived and practiced in a unilateral way.
From there on freedom has limits and those are all in the freedom of others. This leads to equality, hence no freedom without equality of rights.
Freedom and equality may happen to be perceived as incompatible and that’s when brotherhood is the everlasting revelation of the synthesis of the former two.
I’d dare say that because freedom and equality are the children of brotherhood, it is without brotherhood rather than without freedom that nothing of value may be achieved.
Good to know, and thanks of course for pointing out this LibreOffice vulnerability, critical as it seems.
As the article states, affected LibreOffice versions are 24.8 to 24.8.4. I run and had decided to stick on version 24.2 (for reasons out of this scope) so am not affected.
Moreover, the ‘BrokenURL’ application (https://brokenevent.com/projects/brokenurl, unavailable as I write, must be a temporary issue given the site’s homepage renders correctly) allows the user to confirm sending a url to the browser as well as to what browser) which ads a layer of precaution security.
BrokenURL description :
“The BrokenURL is Windows URL router. When something tries to open URL, the BrokenURL will ask you whether to and in which exactly browser to open it. Also it allows you to open it in private tab of selected browser, without any cookies and any spy extensions – on your discretion.
Of course, it will not anyhow disturb the internal URL transitions within an opened browser. The browser can handle it by its own. But any URL opened from external apps (installers; uninstallers; even IM messengers like Skype and other similar) are in control now.
SETTING THE BROKENURL AS DEFAULT BROWSER IS REQUIRED TO MAKE IT WORK.”