Title: Empty entry in Java class path risks arbitrary code execution

Announced: March 24, 2023

Fixed in: LibreOffice 7.2.6/7.3.1


Most versions of LibreOffice support and contain components written in Java. LibreOffice extends the existing Java class path with its own internal classes.

In the affected versions of LibreOffice if the existing class path was empty, then when Java class files are loaded, the current working directory is searched for valid classes before using the embedded versions. If an attacker sends a zip file containing a class file alongside a document then, depending on the file manager or other tool used to open the zip file, when on navigating to the document and launching LibreOffice to open it, the current working directory of LibreOffice may be the directory in which the class file exists, in which case there is a risk that the arbitrary code of the class file could be executed.

In versions >= 7.2.6 (and >= 7.3.1) such unwanted empty paths are not appended to the classpath


  • European Commission's Open Source Programme Office for sponsoring a security bug bounty for LibreOffice
  • Stephen Bergmann of Red Hat, Inc. for a solution