CVE-2025-24796

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-24796
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24796.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-24796
Aliases
  • GHSA-4jjq-vgqp-qw45
Published
2025-03-06T18:37:32.268Z
Modified
2025-12-02T08:02:52.384534Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Remote Code Execution within Collabora Online jail with Macros Enabled
Details

Collabora Online is a collaborative online office suite based on LibreOffice. Macro support is disabled by default in Collabora Online, but can be enabled by an administrator. Collabora Online typically hosts each document instance within a jail and is allowed to download content from locations controlled by the net.lok_allow configuration option, which by default include the private IP ranges to enable access to the local network. If enabled, macros were allowed run executable binaries. By combining an ability to host executables, typically in the local network, in an allowed accessible location, with a macro enabled Collabora Online, it was then possible to install arbitrary binaries within the jail and execute them. These executables are restricted to the same jail file system and user as the document instance but can be used to bypass the additional limits on what network hosts are accessible and provide more flexibility as a platform for further attempts. This is issue is fixed in 24.04.12.4, 23.05.19, 22.05.25 and later macros.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24796.json",
    "cwe_ids": [
        "CWE-829"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/collaboraonline/online

Affected ranges

Type
GIT
Repo
https://github.com/collaboraonline/online
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bb42bcbd2aacae39d9a4561aa4f340345868ab51
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "22.05.25"
        }
    ]
}
Type
GIT
Repo
https://github.com/collaboraonline/online
Events
Introduced
39ee21ddca6daf5b6d66a8e99d15443e45a9b0cc
Fixed
c177c64c3dee8ad2f84de9c02ec08f44c9922e2d
Database specific 
{
    "versions": [
        {
            "introduced": "24.04.1.1"
        },
        {
            "fixed": "24.04.12.4"
        }
    ]
}

Affected versions

1.*

1.6.0-0
1.6.0-4-CODE
1.6.2-1

Other

co-4-2-0-branch-point
collabora-online-1-0-branch-point
collabora-online-1-9-branch-point
collabora-online-2-0-branch-point
collabora-online-2-1-branch-point
collabora-online-3-0-branch-point
collabora-online-4-branch-point
for-code-assets
libreoffice-5-2-branch-point
libreoffice-5-3-branch-point
libreoffice-5-4-branch-point
libreoffice-6-0-branch-point
libreoffice-6-1-branch-point
libreoffice-6-2-branch-point
libreoffice-6-3-branch-point
libreoffice-6-4-branch-point
libreoffice-7-0-branch-point

cp-21.*

cp-21.06.2-0
cp-21.11.0-0
cp-21.11.0-1
cp-21.11.0-2
cp-21.11.0-3
cp-21.11.0-4
cp-21.11.0-5
cp-21.11.0-6
cp-21.11.3-0

cp-22.*

cp-22.05.0-1
cp-22.05.10-2
cp-22.05.10-6
cp-22.05.10-7
cp-22.05.11-1
cp-22.05.12-1
cp-22.05.12-2
cp-22.05.12-3
cp-22.05.12-4
cp-22.05.14-1
cp-22.05.14-2
cp-22.05.14-3
cp-22.05.15-1
cp-22.05.15-2
cp-22.05.16-1
cp-22.05.17-1
cp-22.05.18-1
cp-22.05.19-1
cp-22.05.20-1
cp-22.05.21-1
cp-22.05.22-1
cp-22.05.22-2
cp-22.05.23-1
cp-22.05.24-1
cp-22.05.3-1
cp-22.05.4-1
cp-22.05.5-1
cp-22.05.5-2
cp-22.05.5-3
cp-22.05.6-2
cp-22.05.6-3
cp-22.05.7-3
cp-22.05.7-4
cp-22.05.7-5
cp-22.05.8-3
cp-22.05.8-4
cp-22.05.9-3
cp-22.05.9-4
cp-22.05.9-5
cp-22.05.9-6

cp-24.*

cp-24.04.1-1
cp-24.04.1-2
cp-24.04.1-3
cp-24.04.10-1
cp-24.04.10-2
cp-24.04.11-1
cp-24.04.11-2
cp-24.04.12-1
cp-24.04.12-2
cp-24.04.12-3
cp-24.04.2-1
cp-24.04.3-1
cp-24.04.4-1
cp-24.04.5-1
cp-24.04.6-1
cp-24.04.7-1
cp-24.04.7-2
cp-24.04.8-1
cp-24.04.9-1

helm-collabora-online-1.*

helm-collabora-online-1.1.15
helm-collabora-online-1.1.16
helm-collabora-online-1.1.17
helm-collabora-online-1.1.18
helm-collabora-online-1.1.19
helm-collabora-online-1.1.20
helm-collabora-online-1.1.21
helm-collabora-online-1.1.22
helm-collabora-online-1.1.23
helm-collabora-online-1.1.24
helm-collabora-online-1.1.25
helm-collabora-online-1.1.26
helm-collabora-online-1.1.27
helm-collabora-online-1.1.28
helm-collabora-online-1.1.29
helm-collabora-online-1.1.30
helm-collabora-online-1.1.31
helm-collabora-online-1.1.32

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://github.com/collaboraonline/online/commit/bb42bcbd2aacae39d9a4561aa4f340345868ab51",
        "target": {
            "function": "parseResponseAndValidate",
            "file": "wsd/Storage.cpp"
        },
        "signature_type": "Function",
        "digest": {
            "length": 396.0,
            "function_hash": "175259878639534867018336862584826404864"
        },
        "id": "CVE-2025-24796-852d0fc9",
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "source": "https://github.com/collaboraonline/online/commit/bb42bcbd2aacae39d9a4561aa4f340345868ab51",
        "target": {
            "file": "wsd/Storage.cpp"
        },
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "188623234153295289223321104998110144112",
                "302046581113113523978326810618598971779",
                "75804351401101686748502386337878951995",
                "306353953243276463958726030460705562592"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-24796-8ae6c37d",
        "deprecated": false
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24796.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "23.05.1"
            },
            {
                "fixed": "23.05.19"
            }
        ]
    }
]