CVE-2025-2866: 
NixOS vulnerability analysis and mitigation

CVE-2025-2866 is a cryptographic signature verification vulnerability discovered in LibreOffice that affects PDF signature validation. The vulnerability was disclosed on April 27, 2025, and impacts LibreOffice versions from 24.8 before 24.8.6, and from 25.2 before 25.2.2. The flaw exists in the verification code for adbe.pkcs7.sha1 signatures, which could cause invalid signatures to be accepted as valid (LibreOffice Advisory, NVD).

The vulnerability is classified as an Improper Verification of Cryptographic Signature (CWE-347). According to the CVSS v4.0 assessment by The Document Foundation, it received a base score of 2.4 (LOW) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. However, the NVD assessment indicates a CVSS 3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to bypass signature verification in PDF documents, potentially leading to the acceptance of invalid signatures as valid. This could compromise the integrity and authenticity verification of signed PDF documents within LibreOffice (LibreOffice Advisory, Wiz).

Users are recommended to upgrade to LibreOffice version 24.8.6 or 25.2.2 or later to address this vulnerability. The fix was developed with the assistance of Juraj Šarinay, who discovered the issue and provided the solution (LibreOffice Advisory).