CVE-2025-14714
Title: TCC Bypass via Inherited Permissions in Bundled Interpreter
Announced: Dec 15, 2025
Fixed in: LibreOffice 25.2.4
Description:
LibreOffice typically bundles python to provide scripting support
On macOS, an Authentication Bypass vulnerability existed where the bundled python launcher inheritd the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle.
By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges.
In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions.
All users are recommended to upgrade to LibreOffice >= 25.2.4 to avoid this problem.
Credits:
- Thanks to Karol Mazurek of AFINE for reporting this issue
- Thanks to Christian Lohmaier of TDF for providing the fix
References:
CVE-2025-14714
Follow Us