CVE-2019-9852 in LibreOffice
Summary
by MITRE
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/21/2025
The vulnerability CVE-2019-9852 represents a critical security flaw in LibreOffice that undermines the application's macro execution protection mechanisms. This issue specifically targets the document event handling system that allows pre-installed macros to execute in response to various user interactions such as mouse-over events or document opening. The vulnerability stems from an insufficient implementation of security controls designed to prevent unauthorized script execution, creating a pathway for malicious actors to bypass intended access restrictions. The flaw was introduced as a response to CVE-2018-16858, which addressed directory traversal attacks that could execute scripts from arbitrary file system locations, but the subsequent protection mechanism contained a critical implementation error that could be circumvented through URL encoding techniques. The vulnerability affects all LibreOffice versions prior to 6.2.6, making it a widespread concern for organizations using older installations of the office suite.
The technical implementation of this vulnerability involves a URL encoding attack that exploits how LibreOffice processes script location references within documents. When documents specify script execution events, the application parses URLs that reference script locations within the LibreOffice installation directories. The original protection mechanism was designed to prevent directory traversal attacks by restricting script execution to predefined safe locations under share/Scripts/python and user/Scripts/python subdirectories. However, the URL encoding bypass allows attackers to craft malicious URLs that appear to reference legitimate script locations while actually pointing to arbitrary file system paths. This occurs because the application fails to properly encode or validate the URL components before processing them, allowing encoded characters to be interpreted as directory traversal sequences. The vulnerability operates at the application level within LibreOffice's document parsing and macro execution subsystem, where input validation is insufficient to prevent malicious URL manipulation.
The operational impact of CVE-2019-9852 extends beyond simple privilege escalation, as it enables remote code execution capabilities that can be leveraged by threat actors in targeted attacks. An attacker could craft malicious documents that, when opened by an affected LibreOffice version, would execute arbitrary code from unintended locations on the victim's system. This vulnerability directly violates the principle of least privilege and could lead to complete system compromise if the victim has elevated permissions. The attack vector is particularly concerning because it requires only that a user open a malicious document, making it suitable for phishing campaigns or social engineering attacks. The vulnerability affects the core security model of LibreOffice's macro execution system, potentially allowing attackers to execute scripts with the privileges of the logged-in user, which could include access to sensitive files, network reconnaissance, or even installation of additional malware. Organizations relying on LibreOffice for document processing face significant risk from this vulnerability, particularly in environments where users may encounter untrusted documents from external sources.
The remediation for CVE-2019-9852 involves updating to LibreOffice version 6.2.6 or later, where the URL parsing and encoding mechanisms have been properly implemented to prevent the bypass attack. This fix addresses the root cause by ensuring that parsed URL components are correctly encoded before being processed, eliminating the opportunity for URL encoding attacks to manipulate the script execution paths. Security practitioners should prioritize this update across all LibreOffice installations, particularly in enterprise environments where the software is widely deployed. The vulnerability aligns with CWE-77: Improper Neutralization of Special Elements used in a Command, as it involves improper handling of URL-encoded characters that could be used to manipulate command execution paths. From an ATT&CK framework perspective, this vulnerability maps to T1059.007: Command and Scripting Interpreter: Python, as it enables execution of Python scripts through the macro system, and T1203: Exploitation for Client Execution, representing a client-side exploitation technique that leverages document-based attack vectors. Organizations should implement additional monitoring for suspicious document execution patterns and consider network-based detection measures to identify potential exploitation attempts.