CVE-2025-64404
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-12

Last updated on: 2025-11-13

Assigner: Apache Software Foundation

Description
Apache OpenOffice documents can contain links to other files. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used background fill images, or bullet images, linked to external files would load the contents of those files without prompting the user for permission to do so. This issue affects Apache OpenOffice: through 4.1.15. Users are recommended to upgrade to version 4.1.16, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-12
Last Modified
2025-11-13
Generated
2026-06-16
AI Q&A
2025-11-12
EPSS Evaluated
2026-06-14
NVD
CVE-2025-64404
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache openoffice to 4.1.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apache OpenOffice allows an attacker to create a document with external links that load linked files automatically without asking the user for permission. Specifically, documents using background fill images or bullet images linked to external files will load those files silently, due to a missing authorization check.

Impact Analysis

The vulnerability can lead to unauthorized loading of external content when opening a crafted document, potentially exposing users to privacy risks, data leakage, or malicious content without their knowledge or consent.

Mitigation Strategies

Upgrade Apache OpenOffice to version 4.1.16 or later, as this version fixes the missing Authorization vulnerability that allows external links in documents to be loaded without user prompt.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart