CVE-2021-25829 – CVE-2021-25829 is an improper binary stream dat... (How to Fix)

Q: What is the severity of CVE-2021-25829?

CVE-2021-25829 has a CVSS score of 7.5 (HIGH). CVE-2021-25829 is an improper binary stream data handling vulnerability in ONLYOFFICE DocumentServer that allows attackers to cause denial of service by sending specially crafted documents. This affects organizations using ONLYOFFICE DocumentServer for document collaboration and editing services. The vulnerability can eventually shut down the target server through resource exhaustion.

📋 TL;DR

CVE-2021-25829 is an improper binary stream data handling vulnerability in ONLYOFFICE DocumentServer that allows attackers to cause denial of service by sending specially crafted documents. This affects organizations using ONLYOFFICE DocumentServer for document collaboration and editing services. The vulnerability can eventually shut down the target server through resource exhaustion.

💻 Affected Systems

Products:

ONLYOFFICE DocumentServer

Versions: v4.0.0-9 through v5.6.3

Operating Systems: Linux, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the core module specifically in PPTX file handling components. All installations within the vulnerable version range are affected regardless of configuration.

📦 What is this software?

Document Server by Onlyoffice

View all CVEs affecting Document Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server shutdown leading to service unavailability for all users, potential data loss for unsaved documents, and extended downtime requiring manual intervention.

🟠

Likely Case

Service disruption affecting document processing capabilities, temporary unavailability of ONLYOFFICE services, and potential cascading effects on dependent applications.

🟢

If Mitigated

Limited impact with proper input validation and resource monitoring, potentially causing temporary performance degradation but no complete outage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malicious document to the server, which can be done through normal document upload functionality. No authentication bypass needed if document upload is enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.6.4 and later

Vendor Advisory: https://github.com/ONLYOFFICE/DocumentServer/releases

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop ONLYOFFICE DocumentServer service. 3. Update to v5.6.4 or later using package manager or manual installation. 4. Restart the service. 5. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement WAF or proxy rules to filter suspicious PPTX documents before they reach the DocumentServer

# Example nginx rule to block large PPTX files
location ~ \.pptx$ {
    client_max_body_size 10M;
    deny all;
}

Resource Limiting

linux

Configure system resource limits to prevent complete server exhaustion

# Set memory limits for ONLYOFFICE process
systemctl set-property onlyoffice-documentserver.service MemoryLimit=2G

🧯 If You Can't Patch

Implement strict document upload restrictions and file type filtering at network perimeter
Deploy monitoring and alerting for abnormal resource consumption patterns

🔍 How to Verify

Check if Vulnerable:

Check current version: dpkg -l | grep onlyoffice-documentserver or rpm -qa | grep onlyoffice-documentserver

Check Version:

dpkg -l | grep onlyoffice-documentserver || rpm -qa | grep onlyoffice-documentserver || find /opt/onlyoffice -name "*.json" -exec grep -l "version" {} \;

Verify Fix Applied:

Verify version is v5.6.4 or higher and test with known safe PPTX document upload

📡 Detection & Monitoring

Log Indicators:

Abnormal memory consumption spikes
Process crashes in ONLYOFFICE logs
Multiple failed document processing attempts
Out of memory errors in system logs

Network Indicators:

Unusually large PPTX file uploads
Multiple document uploads from single source in short time
Abnormal traffic patterns to document processing endpoints

SIEM Query:

source="onlyoffice.logs" AND ("out of memory" OR "crash" OR "segmentation fault") OR source="system.logs" AND process="DocumentServer" AND (memory>90% OR cpu>95%)

📊 Metadata

CVE ID: CVE-2021-25829

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: March 1, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/ONLYOFFICE/DocumentServer Product
https://github.com/ONLYOFFICE/core Product,Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/Comments.h#L299 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/Core.h#L161 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/NotesMaster.h#L148 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/NotesSlide.h#L141 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/Presentation.h#L277 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/Theme.h#L277 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v5.6.4.10/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L1722 Vendor Advisory
https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25829 Exploit,Third Party Advisory
https://github.com/ONLYOFFICE/DocumentServer Product
https://github.com/ONLYOFFICE/core Product,Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/Comments.h#L299 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/Core.h#L161 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/NotesMaster.h#L148 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/NotesSlide.h#L141 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/Presentation.h#L277 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/c1e4a2ce33bdcfab29d670f5fdb10fc63cf5fd6a/ASCOfficePPTXFile/PPTXFormat/Theme.h#L277 Vendor Advisory
https://github.com/ONLYOFFICE/core/blob/v5.6.4.10/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L1722 Vendor Advisory
https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25829 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON