Authorization Vulnerability in Apache OpenOffice Allows Unprompted Loading of External Links
CVE-2025-64402

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Openoffice
Vendor: CVE Published:; 12 November 2025

What is CVE-2025-64402?

Apache OpenOffice documents can include links to external content. Due to a missing Authorization flaw, an attacker may create a document that pulls in external links without any user prompt. This particularly impacts versions of Apache OpenOffice that utilize OLE objects linking to outside files, which can lead to unintentional data exposure. Users are advised to upgrade to version 4.1.16 to mitigate this issue.

Affected Version(s)

Apache OpenOffice 0 <= 4.1.15

References

https://www.openoffice.org/security/cves/CVE-2025-64402.html

vendor-advisory

https://lists.apache.org/thread/tssrl88tygjsgk6csllm6p2fb...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2025
Vulnerability Reserved
Nov 2, 2025

Credit

Dawid Golunski, Doyensec LLC

JSON