TCC Bypass via Inherited Permissions in Bundled Interpreter_CVE-2025-14714

0.9 / 10

LOW

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U

Description

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle

By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges

In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions

This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.

Basic Information

ID CVE-2025-14714

Source Document Fdn.

Published Dec 15, 2025 at 10:30

Affected Product

Vendor The Document Foundation

Product LibreOffice

Version 25.2

Affected Versions The Document Foundation LibreOffice 25.2

CWE Classification

CWE-288

References

www.libreoffice.org /about-us/security/advisories/cve-2025-14714

{
    "lastseen": "",
    "description": "An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions\u00a0granted by the user to the main application bundle\n\n\n\n\nBy executing the bundled interpreter directly the attacker's scripts run with the application's TCC\u00a0privileges\n\n\n\n\nIn fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions\n\nThis issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.",
    "published": "2025-12-15T10:30:55.796Z",
    "modified": "2025-12-15T10:30:55.796Z",
    "type": "cve",
    "title": "TCC Bypass via Inherited Permissions in Bundled Interpreter",
    "source": "Document Fdn.",
    "references": "https://www.libreoffice.org/about-us/security/advisories/cve-2025-14714",
    "id": "CVE-2025-14714",
    "bulletinFamily": "",
    "cwe": [
        "CWE-288"
    ],
    "cvelist": null,
    "sourceData": "The Document Foundation LibreOffice 25.2",
    "sourceHref": "",
    "cvss": {
        "score": 0.9,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LibreOffice",
    "version": "25.2",
    "vendor": "The Document Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}