Overview
CVE-2025-64766 is a medium severity security vulnerability affecting the OnlyOffice document server when deployed on NixOS. This vulnerability stems from the use of a hard-coded secret in the NixOS module used to protect the file cache of OnlyOffice. This hardcoded secret could potentially allow an attacker with knowledge of a revision ID to access documents, even after a user’s access has expired. The issue has been resolved in NixOS unstable version 25.11 and version 25.05.
Technical Details
The NixOS module for OnlyOffice’s document server employs a secret key to secure its file cache. Versions 22.11 to before 25.05, and versions before Unstable 25.11, inadvertently used a hardcoded value for this secret. This hardcoded secret, if known, could be used to manipulate or access cached documents. While obtaining a valid revision ID might pose a challenge, successful exploitation could bypass intended access controls. The core of the issue lies in the predictable nature of the secret, rather than a complex code execution flaw. The vulnerability resides within the NixOS packaging and configuration of the OnlyOffice document server and not directly within the OnlyOffice application code itself.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns a score of 5.3 to CVE-2025-64766. This indicates a MEDIUM severity vulnerability. The CVSS vector string will provide more details (e.g., AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N), where AV = Attack Vector, AC = Attack Complexity, PR = Privileges Required, UI = User Interaction, S = Scope, C = Confidentiality, I = Integrity, A = Availability. The moderate impact and the relative difficulty in obtaining a valid revision ID contribute to this score.
Possible Impact
The primary impact of CVE-2025-64766 is unauthorized access to documents from users whose access has expired. An attacker exploiting this vulnerability could potentially gain access to sensitive information contained within these documents. While arbitrary document access is unlikely due to the requirement of knowing a valid revision ID, targeted attacks against known users and documents are possible. The confidentiality of data is the main concern, as the attacker can only view the document and not modify it.
Mitigation or Patch Steps
The vulnerability has been addressed in the following NixOS releases:
- NixOS unstable version 25.11
- NixOS version 25.05
To mitigate this vulnerability, users of NixOS should upgrade their systems to a patched version. Specifically:
- Update NixOS: Ensure your system is running the latest version of NixOS, incorporating the security patches released to address CVE-2025-64766. This is typically achieved via `nixos-rebuild switch –upgrade`.
- Verify OnlyOffice Version: Confirm that the OnlyOffice document server instance is using the updated packages from the NixOS repository.
- Review Configuration (if applicable): If custom configurations were applied to the OnlyOffice module, review them for any potential conflicts or overrides that could reintroduce the vulnerability.
