CVE-2025-1080

CVE-2025-1080 is an improper input validation vulnerability (CWE-20) in LibreOffice's handling of the 'vnd.libreoffice.command' URI scheme, added for LibreOffice-specific browser integration alongside standard Office URI schemes for MS SharePoint. This flaw allows a specially crafted link in a browser to embed an inner URL that, when passed to LibreOffice, invokes internal macros with arbitrary arguments. The vulnerability affects LibreOffice versions from 24.8 prior to 24.8.5 and from 25.2 prior to 25.2.1, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker can exploit this vulnerability locally by convincing a user to click a malicious browser link using the 'vnd.libreoffice.command' scheme, requiring user interaction but no privileges. When LibreOffice processes the link, the embedded inner URL triggers execution of internal macros with attacker-supplied arguments, potentially leading to high-impact compromise of confidentiality, integrity, and availability, such as arbitrary code execution depending on macro capabilities.

LibreOffice's security advisory (https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080) documents the issue and confirms patches in versions 24.8.5 and 25.2.1, urging users to update immediately. The Debian LTS announcement (https://lists.debian.org/debian-lts-announce/2025/06/msg00002.html) addresses backported fixes for affected Debian systems.