CVE-2025-14714 in LibreOffice
Summary
by MITRE • 12/15/2025
An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle
By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges
In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions
This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/18/2026
This vulnerability represents a critical authentication bypass flaw in LibreOffice for macOS that stems from improper permission handling within the application's bundled interpreter component. The issue manifests when the application includes a Python interpreter that inherits the Transparency, Consent, and Control permissions granted by users to the main application bundle. These TCC permissions typically control access to sensitive system resources such as camera, microphone, files, and other protected areas. When an attacker can execute scripts through the bundled interpreter directly, those scripts run with the elevated privileges of the main application rather than the restricted user context.
The technical exploitation occurs through direct invocation of the bundled interpreter, which allows malicious code execution with the application's full TCC privileges. This creates a privilege escalation vector where user consent for application permissions becomes effectively bypassed for the interpreter component. The vulnerability leverages the principle of least privilege violation, as the bundled interpreter should not inherit the main application's elevated permissions. This flaw directly relates to CWE-284, which addresses improper access control, and specifically targets the TCC framework that Apple implemented to protect user privacy and security.
The operational impact of this vulnerability is significant for macOS users who rely on LibreOffice for document processing and office productivity. Attackers could potentially execute malicious Python scripts that access protected system resources, capture screenshots, access files, or perform other unauthorized actions without additional user consent. The vulnerability affects all versions of LibreOffice on macOS from 25.2 through versions prior to 25.2.4, creating a substantial window of exposure for users who may not have updated to the patched release. This issue particularly affects users who have granted broad permissions to LibreOffice, as the malicious scripts would operate with those same elevated privileges.
The fix implemented by the developers addresses this vulnerability through the introduction of parent-constraints that restrict which applications can launch the interpreter with elevated permissions. This solution aligns with the principle of least privilege and follows secure coding practices recommended in the ATT&CK framework under privilege escalation techniques. The mitigation approach ensures that only the main application bundle can invoke the interpreter with TCC permissions, preventing unauthorized execution of scripts with elevated privileges. Users should immediately update to LibreOffice version 25.2.4 or later to remediate this vulnerability, as the fix effectively closes the permission inheritance loophole that enabled the authentication bypass. Organizations using LibreOffice in enterprise environments should also verify that all systems have been updated to prevent potential exploitation of this privilege escalation vector.