CVE-2025-64766
BaseFortify
Publication date: 2025-11-17
Last updated on: 2025-11-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nixos | onlyoffice | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in NixOS's Onlyoffice involves a hard-coded secret used in the module for the OnlyOffice document server to protect its file cache. An attacker who knows an existing revision ID could use this secret to access a document. Although obtaining an arbitrary revision ID is difficult, the vulnerability primarily allows access to known documents even after user access has expired.
How can this vulnerability impact me? :
The main impact of this vulnerability is unauthorized access to documents that a user previously had access to, even after their access has expired. This could lead to exposure of sensitive or confidential information if an attacker knows the revision ID of a document.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade NixOS Onlyoffice to version 25.05 or later, or to unstable version 25.11 or later, where the hard-coded secret issue has been resolved.