CVE-2025-27791

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-27791

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27791.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-27791

Aliases

GHSA-9j32-gg3j-8w25

Published

2025-04-15T19:09:18.774Z

Modified

2025-12-05T06:20:52.236600Z

Severity

8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Collabora Online Vulnerable to Arbitrary File Write

Details

Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27791.json",
    "cwe_ids": [
        "CWE-23"
    ]
}

References

Affected packages

Git / github.com/collaboraonline/online

Affected ranges

Type

GIT

Repo

https://github.com/collaboraonline/online

Events

Introduced

39ee21ddca6daf5b6d66a8e99d15443e45a9b0cc

Fixed

3dc280be537625098b0be7873791b4b23a3f882c

Database specific

{
    "versions": [
        {
            "introduced": "24.04.1.1"
        },
        {
            "fixed": "24.04.13.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/collaboraonline/online

Events

Introduced

Fixed

bb42bcbd2aacae39d9a4561aa4f340345868ab51

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "22.05.25"
        }
    ]
}

Affected versions

1.*

1.6.0-0

1.6.0-4-CODE

1.6.2-1

Other

co-4-2-0-branch-point

collabora-online-1-0-branch-point

collabora-online-1-9-branch-point

collabora-online-2-0-branch-point

collabora-online-2-1-branch-point

collabora-online-3-0-branch-point

collabora-online-4-branch-point

for-code-assets

libreoffice-5-2-branch-point

libreoffice-5-3-branch-point

libreoffice-5-4-branch-point

libreoffice-6-0-branch-point

libreoffice-6-1-branch-point

libreoffice-6-2-branch-point

libreoffice-6-3-branch-point

libreoffice-6-4-branch-point

libreoffice-7-0-branch-point

cp-21.*

cp-21.06.2-0

cp-21.11.0-0

cp-21.11.0-1

cp-21.11.0-2

cp-21.11.0-3

cp-21.11.0-4

cp-21.11.0-5

cp-21.11.0-6

cp-21.11.3-0

cp-22.*

cp-22.05.0-1

cp-22.05.10-2

cp-22.05.10-6

cp-22.05.10-7

cp-22.05.11-1

cp-22.05.12-1

cp-22.05.12-2

cp-22.05.12-3

cp-22.05.12-4

cp-22.05.14-1

cp-22.05.14-2

cp-22.05.14-3

cp-22.05.15-1

cp-22.05.15-2

cp-22.05.16-1

cp-22.05.17-1

cp-22.05.18-1

cp-22.05.19-1

cp-22.05.20-1

cp-22.05.21-1

cp-22.05.22-1

cp-22.05.22-2

cp-22.05.23-1

cp-22.05.24-1

cp-22.05.3-1

cp-22.05.4-1

cp-22.05.5-1

cp-22.05.5-2

cp-22.05.5-3

cp-22.05.6-2

cp-22.05.6-3

cp-22.05.7-3

cp-22.05.7-4

cp-22.05.7-5

cp-22.05.8-3

cp-22.05.8-4

cp-22.05.9-3

cp-22.05.9-4

cp-22.05.9-5

cp-22.05.9-6

cp-24.*

cp-24.04.1-1

cp-24.04.1-2

cp-24.04.1-3

cp-24.04.10-1

cp-24.04.10-2

cp-24.04.11-1

cp-24.04.11-2

cp-24.04.12-1

cp-24.04.12-2

cp-24.04.2-1

cp-24.04.3-1

cp-24.04.4-1

cp-24.04.5-1

cp-24.04.6-1

cp-24.04.7-1

cp-24.04.7-2

cp-24.04.8-1

cp-24.04.9-1

helm-collabora-online-1.*

helm-collabora-online-1.1.15

helm-collabora-online-1.1.16

helm-collabora-online-1.1.17

helm-collabora-online-1.1.18

helm-collabora-online-1.1.19

helm-collabora-online-1.1.20

helm-collabora-online-1.1.21

helm-collabora-online-1.1.22

helm-collabora-online-1.1.23

helm-collabora-online-1.1.24

helm-collabora-online-1.1.25

helm-collabora-online-1.1.26

helm-collabora-online-1.1.27

helm-collabora-online-1.1.28

helm-collabora-online-1.1.29

helm-collabora-online-1.1.30

helm-collabora-online-1.1.31

helm-collabora-online-1.1.32

helm-collabora-online-1.1.33

helm-collabora-online-1.1.34

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "source": "https://github.com/collaboraonline/online/commit/bb42bcbd2aacae39d9a4561aa4f340345868ab51",
        "id": "CVE-2025-27791-852d0fc9",
        "deprecated": false,
        "target": {
            "file": "wsd/Storage.cpp",
            "function": "parseResponseAndValidate"
        },
        "signature_version": "v1",
        "digest": {
            "function_hash": "175259878639534867018336862584826404864",
            "length": 396.0
        }
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/collaboraonline/online/commit/bb42bcbd2aacae39d9a4561aa4f340345868ab51",
        "id": "CVE-2025-27791-8ae6c37d",
        "deprecated": false,
        "target": {
            "file": "wsd/Storage.cpp"
        },
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "188623234153295289223321104998110144112",
                "302046581113113523978326810618598971779",
                "75804351401101686748502386337878951995",
                "306353953243276463958726030460705562592"
            ]
        }
    }
]

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "23.05.0"
            },
            {
                "fixed": "23.05.19"
            }
        ]
    }
]