CVE-2025-24796

Published Mar 6, 2025 Modified Apr 15, 2026 CWE-829

Description

Collabora Online is a collaborative online office suite based on LibreOffice. Macro support is disabled by default in Collabora Online, but can be enabled by an administrator. Collabora Online typically hosts each document instance within a jail and is allowed to download content from locations controlled by the net.lok_allow configuration option, which by default include the private IP ranges to enable access to the local network. If enabled, macros were allowed run executable binaries. By combining an ability to host executables, typically in the local network, in an allowed accessible location, with a macro enabled Collabora Online, it was then possible to install arbitrary binaries within the jail and execute them. These executables are restricted to the same jail file system and user as the document instance but can be used to bypass the additional limits on what network hosts are accessible and provide more flexibility as a platform for further attempts. This is issue is fixed in 24.04.12.4, 23.05.19, 22.05.25 and later macros.

Weakness Type (CWE)

CWE-829 CWE-829

References

Frequently Asked Questions

What is CVE-2025-24796? +
Collabora Online is a collaborative online office suite based on LibreOffice. Macro support is disabled by default in Collabora Online, but can be enabled by an administrator. Collabora Online typically hosts each document instance within a jail and is allowed to download content from locations controlled by the net.lok_allow configuration option, which by default include the private IP ranges to enable access to the local network. If enabled, macros were allowed run executable binaries. By combining an ability to host executables, typically in the local network, in an allowed accessible location, with a macro enabled Collabora Online, it was then possible to install arbitrary binaries within the jail and execute them. These executables are restricted to the same jail file system and user as the document instance but can be used to bypass the additional limits on what network hosts are accessible and provide more flexibility as a platform for further attempts. This is issue is fixed in 24.04.12.4, 23.05.19, 22.05.25 and later macros.
How do I check if I'm vulnerable to CVE-2025-24796? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-36852

A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache (such as those …
CVE-2025-27510

conda-forge-metadata provides programatic access to conda-forge's metadata. conda-forge-metadata uses an optional dependency - "conda-oci-mirror" which was neither present on the …
CVE-2024-45482

An Inclusion of Functionality from Untrusted Control Sphere vulnerability in the SSH server on B&R APROL <4.4-00P1 may allow an …
CVE-2026-6357

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules …
CVE-2026-7373

Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control …
CVE-2025-34060

A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-24796 — free, no signup required.

Start Free Scan