CVE-2025-14714 LOW

CVE-2025-14714: TCC Bypass via Inherited Permissions in Bundled Interpreter

Vendor The Document Foundation
Product LibreOffice
Weakness CWE-288
Published December 15, 2025
Last update December 15, 2025

CVSS base score

0.9/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U

What the vulnerability does

01Description

An Authentication Bypass vulnerability existed where the application bundled an interpreter (Python) that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with the application's TCC privileges In fixed versions parent-constraints are used to allow only the main application to launch interpreter with those permissions This issue affects LibreOffice on macOS: from 25.2 before < 25.2.4.

Key dates

02Disclosure timeline

December 15, 2025 CVE published
December 15, 2025 Record updated