CVE-2025-14714

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-14714

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14714.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-14714

Published

2025-12-15T11:15:39.537Z

Modified

2026-03-12T17:39:09.581615Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle

By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges

In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions

This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.

References

https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714

Affected packages

Git / github.com/libreoffice/core

Affected ranges

Type

GIT

Repo

https://github.com/libreoffice/core

Events

Introduced

ddb2a7ea3a8857aae619555f1a8743e430e146c9

Fixed

09303ce8b49f86f106fccd32b1324662053027cc

Database specific

{
    "versions": [
        {
            "introduced": "25.2.0.1"
        },
        {
            "fixed": "25.2.4.1"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14714.json"