CVE-2025-64766
📋 TL;DR
CVE-2025-64766 is a hard-coded secret vulnerability in NixOS's OnlyOffice document server module that allows attackers with knowledge of a document revision ID to access cached files. This primarily affects users of NixOS versions 22.11 through 25.05 and unstable versions before 25.11. The impact is limited to accessing known documents from users with expired access.
💻 Affected Systems
- NixOS OnlyOffice document server module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive documents if they obtain valid revision IDs, potentially exposing confidential information.
Likely Case
Limited access to documents with known revision IDs, primarily affecting documents from users whose access has expired.
If Mitigated
Minimal impact if revision IDs are properly protected and access controls are enforced.
🎯 Exploit Status
Exploitation requires knowledge of specific document revision IDs, which should be difficult to obtain in practice.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NixOS unstable 25.11 and version 25.05
Vendor Advisory: https://github.com/NixOS/nixpkgs/security/advisories/GHSA-58m4-5wg3-5g5v
Restart Required: Yes
Instructions:
1. Update NixOS to version 25.05 or unstable 25.11. 2. Rebuild the system with 'nixos-rebuild switch'. 3. Restart the OnlyOffice document server service.
🔧 Temporary Workarounds
Disable OnlyOffice document server
linuxTemporarily disable the vulnerable service until patching is possible.
sudo systemctl stop onlyoffice-documentserver
sudo systemctl disable onlyoffice-documentserver
🧯 If You Can't Patch
- Restrict network access to OnlyOffice document server to trusted networks only.
- Implement additional access controls and monitoring for document revision ID usage.
🔍 How to Verify
Check if Vulnerable:
Check NixOS version with 'nixos-version' and verify if OnlyOffice document server is installed and running.Check Version:
nixos-versionVerify Fix Applied:
Confirm NixOS version is 25.05 or unstable 25.11, and verify the OnlyOffice service is running with updated configuration.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to document cache files
- Requests with invalid or unexpected revision IDs
Network Indicators:
- Suspicious requests to document cache endpoints
SIEM Query:
source="onlyoffice" AND (revision_id_access OR cache_access)🔗 References
- https://github.com/NixOS/nixpkgs/commit/8e74d05e3de4ee5ad320cd585a7e0f12a4730869
- https://github.com/NixOS/nixpkgs/commit/cec38dec00df26a901eb8b424d53bbb3bcc72eec
- https://github.com/NixOS/nixpkgs/pull/462100
- https://github.com/NixOS/nixpkgs/pull/462204
- https://github.com/NixOS/nixpkgs/security/advisories/GHSA-58m4-5wg3-5g5v
