CVE-2019-9854 in LibreOffice
Summary
by MITRE
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/21/2025
The vulnerability described in CVE-2019-9854 represents a critical directory traversal flaw within LibreOffice's macro execution system that undermines security controls designed to prevent arbitrary code execution. This issue specifically targets the document-level macro execution feature that allows documents to specify when and how pre-installed macros should run, including events such as mouse-over actions or document opening. The protection mechanisms implemented to address CVE-2019-9852 were intended to block attackers from executing scripts located outside the designated safe directories share/Scripts/python and user/Scripts/python by preventing directory traversal attacks through URL encoding techniques. However, the implementation contains a fundamental flaw where LibreOffice constructs the final script URL by directly combining components from the original path input rather than relying exclusively on the sanitized verification results. This approach creates a pathway for attackers to bypass the intended security boundaries and execute malicious code from unauthorized locations on the file system.
The technical exploitation of this vulnerability occurs through manipulation of path components that are processed during the macro execution initialization phase. When LibreOffice processes document events that trigger macro execution, it performs path verification to ensure scripts originate from approved directories, but the flaw arises in how it subsequently constructs the final execution path. The system's failure to properly sanitize all path components before assembly creates a scenario where an attacker can craft malicious document content that appears to target legitimate scripts while actually pointing to arbitrary system locations. This bypass mechanism specifically exploits the difference between the verification process and the path construction logic, allowing for execution of code from locations outside the intended safe zones. The vulnerability is particularly concerning because it leverages legitimate system functionality while circumventing established security controls, making detection more challenging and potentially allowing for stealthy exploitation.
The operational impact of CVE-2019-9854 extends beyond simple privilege escalation to encompass full system compromise potential, as attackers can execute arbitrary code with the privileges of the LibreOffice process. This vulnerability affects multiple versions of LibreOffice, specifically targeting 6.2.x versions before 6.2.7 and 6.3.x versions before 6.3.1, representing a significant portion of the user base during that time period. The attack surface is particularly large since LibreOffice is widely used for document processing across various platforms and organizations, making the potential for widespread exploitation substantial. The vulnerability aligns with CWE-22 Directory Traversal and CWE-78 Command Injection categories, as it combines path manipulation with code execution capabilities. From an ATT&CK perspective, this vulnerability maps to techniques involving privilege escalation and execution through legitimate system tools, potentially enabling adversaries to establish persistent access through document-based attacks.
Organizations and users affected by this vulnerability should implement immediate mitigations including updating to LibreOffice versions 6.2.7 or 6.3.1, which contain the necessary patches to address the path assembly flaw. The recommended approach involves disabling macro execution entirely for untrusted documents and implementing strict document handling policies that prevent automatic execution of macros from external sources. Security administrators should also consider implementing network-level controls and endpoint detection measures to monitor for suspicious macro execution patterns. The vulnerability demonstrates the importance of proper input sanitization and the principle of least privilege in security implementation, as the flaw stems from an overreliance on verification steps without proper validation of the final constructed paths. Organizations should review their document handling procedures and ensure that macro execution policies are consistently enforced across all LibreOffice installations. The patch for this vulnerability specifically addresses the path construction logic to ensure that all components are properly sanitized and validated before being used in the final execution path, preventing the bypass that allowed attackers to circumvent the intended security boundaries.