CVE-2025-1080: 
LibreOffice vulnerability analysis and mitigation

A security vulnerability (CVE-2025-1080) was discovered in LibreOffice affecting versions prior to 24.8.5 and 25.2.1. The vulnerability relates to LibreOffice's support for Office URI Schemes, specifically the 'vnd.libreoffice.command' scheme that was added to enable browser integration with platforms like Microsoft SharePoint. The issue was discovered by Amel Bouziane-Leblond and was publicly disclosed on March 4, 2025 (LibreOffice Advisory, Security Online).

The vulnerability stems from improper handling of Office URI Schemes in LibreOffice. An attacker could construct a malicious link using the 'vnd.libreoffice.command' scheme with an embedded inner URL that, when passed to LibreOffice, could call internal macros with arbitrary arguments. The vulnerability has been assigned a CVSS score of 7.2, indicating a high severity level (Security Online).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary scripts through malicious macro execution. This could potentially lead to various malicious activities, including data theft, malware installation, and system compromise (Security Online).

The Document Foundation has released security updates to address this vulnerability. Users are strongly advised to upgrade to LibreOffice version 24.8.5 or 25.2.1, where the vulnerability has been fixed by blocking the circumvention method. Ubuntu users can update their systems through standard system updates to the following versions: Ubuntu 24.10 (4:24.8.5-0ubuntu0.24.10.2), Ubuntu 24.04 (4:24.2.7-0ubuntu0.24.04.3), Ubuntu 22.04 (1:7.3.7-0ubuntu0.22.04.9), and Ubuntu 20.04 (1:6.4.7-0ubuntu0.20.04.14) (Ubuntu Security, LibreOffice Advisory).