2422247 – (CVE-2025-14714) CVE-2025-14714 LibreOffice: LibreOffice: Authentication Bypass leading to privilege escalation via bundled interpreter execution

Bug 2422247 (CVE-2025-14714) - CVE-2025-14714 LibreOffice: LibreOffice: Authentication Bypass leading to privilege escalation via bundled interpreter execution

Summary: CVE-2025-14714 LibreOffice: LibreOffice: Authentication Bypass leading to pri...

Keywords:
Status:	NEW
Alias:	CVE-2025-14714
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2423038 2423039
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-15 11:01 UTC by OSIDB Bzimport
Modified:	2025-12-17 07:00 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-15 11:01:21 UTC

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle




By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges




In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions

This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.

Note You need to log in before you can comment on or make changes to this bug.