CVE-2025-64766 is a vulnerability classified under CWE-798, indicating the use of hard-coded credentials within the NixOS nixpkgs distribution, specifically in the OnlyOffice document server module. OnlyOffice is a widely used suite for document editing and collaboration, integrated into NixOS as a module. In affected versions (22.11 through before 25.05, and unstable versions before 25.11), a hard-coded secret was embedded to protect the file cache. This secret acts as a static key to control access to cached document files. An attacker who can obtain a valid revision ID of a document can leverage this hard-coded secret to bypass intended access controls and retrieve the document from the cache. Although the revision ID is not trivial to acquire, if obtained, it allows unauthorized read-only access to documents, including those for which user access rights may have expired. The vulnerability does not allow modification or deletion of documents, nor does it affect system availability. The flaw was addressed in NixOS stable version 25.05 and unstable 25.11 by removing or replacing the hard-coded secret with a more secure mechanism. The CVSS v3.1 base score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited confidentiality impact. No known exploits have been reported in the wild to date. This vulnerability highlights the risks of embedding static secrets in software modules, especially in collaborative environments where document confidentiality is critical.

For European organizations, the primary impact of this vulnerability is unauthorized disclosure of sensitive documents stored or cached via the OnlyOffice document server on NixOS systems. Organizations relying on OnlyOffice for document collaboration and management may face confidentiality breaches if an attacker obtains revision IDs, potentially exposing intellectual property, personal data, or confidential business information. Although exploitation requires knowledge of revision IDs, insider threats or attackers with partial system access could leverage this vulnerability to access documents beyond their authorization. The vulnerability does not affect document integrity or availability, limiting the scope to confidentiality concerns. Given the increasing regulatory focus on data protection in Europe, such as GDPR, unauthorized disclosure could lead to compliance violations and reputational damage. Organizations using affected NixOS versions in critical sectors like finance, healthcare, or government should consider this a significant risk vector. The lack of known exploits reduces immediate urgency but does not eliminate the threat, especially as attackers may develop techniques to discover revision IDs over time.

European organizations should immediately verify if their NixOS deployments include the OnlyOffice document server module within the affected version ranges (>=22.11 and <25.05, or unstable versions <25.11). The primary mitigation is to upgrade NixOS to version 25.05 or later, or unstable 25.11 or later, where the hard-coded secret has been removed or replaced. If upgrading is not immediately feasible, organizations should restrict network access to the OnlyOffice document server to trusted users and networks, minimizing exposure to external attackers. Implement strict access controls and monitoring to detect unusual access patterns that might indicate attempts to enumerate or guess revision IDs. Consider auditing document revision ID generation and distribution processes to reduce leakage risks. Additionally, review and rotate any secrets or tokens associated with OnlyOffice caches if possible. Employ network-level protections such as firewalls and VPNs to limit access to the document server. Finally, educate users about the sensitivity of document revision identifiers and encourage secure handling practices to prevent inadvertent disclosure.