CVE-2025-14714
Authentication Bypass in LibreOffice macOS via Bundled Python Interpreter
Publication date: 2025-12-15
Last updated on: 2026-02-18
Assigner: Document Foundation, The
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libreoffice | libreoffice | From 25.2.0.1 (inc) to 25.2.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14714 is an authentication bypass vulnerability in LibreOffice on macOS involving its bundled Python interpreter. The interpreter inherits the Transparency, Consent, and Control (TCC) permissions granted to the main LibreOffice application. This means an attacker can execute the bundled Python interpreter directly, running scripts with the same elevated TCC privileges as LibreOffice, bypassing intended security controls. The issue was fixed by restricting the interpreter to be launched only by the main application using parent-constraints. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to run unauthorized scripts with elevated TCC permissions on macOS, potentially accessing sensitive user data or system resources that the main LibreOffice application is permitted to access. This bypasses normal security controls and could lead to unauthorized data access or manipulation. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade LibreOffice on macOS to version 25.2.4 or later, where the issue is fixed by implementing parent-constraints that prevent direct execution of the bundled Python interpreter with elevated TCC privileges. [1]