CVE-2025-64766

Nov. 18, 2025, 2:06 p.m.

5.3
Medium

Description

NixOS's Onlyoffice is a software suite that offers online and offline tools for document editing, collaboration, and management. In versions from 22.11 to before 25.05 and versions before Unstable 25.11, a hard-coded secret was used in the NixOS module for the OnlyOffice document server to protect its file cache. An attacker with knowledge of an existing revision ID could use this secret to obtain a document. In practice, an arbitrary revision ID should be hard to obtain. The primary impact is likely the access to known documents from users with expired access. This issue was resolved in NixOS unstable version 25.11 and version 25.05.

Product(s) Impacted

Vendor Product Versions
Nixos
  • Onlyoffice
  • 22.11-24.99, <25.11

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a nixos onlyoffice 22.11-24.99 / / / / / / /
a nixos onlyoffice <25.11 / / / / / / /

References

https://github.com/NixOS/nixpkgs/commit/8e74d05e3de4ee5ad320cd585a7e0f12a4730869
https://github.com/NixOS/nixpkgs/commit/cec38dec00df26a901eb8b424d53bbb3bcc72eec
https://github.com/NixOS/nixpkgs/pull/462100
https://github.com/NixOS/nixpkgs/pull/462204
https://github.com/NixOS/nixpkgs/security/advisories/GHSA-58m4-5wg3-5g5v

Tags

security-advisories@github.com
CWE-798
2025-11-17
CVE-2025-64766

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: Nov. 17, 2025, 10:15 p.m.
Last Modified: Nov. 18, 2025, 2:06 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.