Search criteria
1829 vulnerabilities found for Firefox ESR by Mozilla
CERTFR-2025-AVI-1099
Vulnerability from certfr_avis - Published: 2025-12-11 - Updated: 2025-12-11
De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Mozilla | Firefox ESR | Firefox ESR versions antérieures à 140.6 | ||
| Mozilla | Thunderbird | Thunderbird versions antérieures à 146 | ||
| Mozilla | Thunderbird ESR | Thunderbird ESR versions antérieures à 140.6 | ||
| Mozilla | Firefox | Firefox ESR versions antérieures à 146 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Firefox ESR versions ant\u00e9rieures \u00e0 140.6",
"product": {
"name": "Firefox ESR",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Thunderbird versions ant\u00e9rieures \u00e0 146",
"product": {
"name": "Thunderbird",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Thunderbird ESR versions ant\u00e9rieures \u00e0 140.6",
"product": {
"name": "Thunderbird ESR",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox ESR versions ant\u00e9rieures \u00e0 146",
"product": {
"name": "Firefox",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-14321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14321"
},
{
"name": "CVE-2025-14330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14330"
},
{
"name": "CVE-2025-14333",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14333"
},
{
"name": "CVE-2025-14331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14331"
},
{
"name": "CVE-2025-14323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14323"
},
{
"name": "CVE-2025-14329",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14329"
},
{
"name": "CVE-2025-14327",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14327"
},
{
"name": "CVE-2025-14328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14328"
},
{
"name": "CVE-2025-14325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14325"
},
{
"name": "CVE-2025-14326",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14326"
},
{
"name": "CVE-2025-14322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14322"
},
{
"name": "CVE-2025-14332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14332"
},
{
"name": "CVE-2025-14324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14324"
}
],
"initial_release_date": "2025-12-11T00:00:00",
"last_revision_date": "2025-12-11T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1099",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Mozilla. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Mozilla",
"vendor_advisories": [
{
"published_at": "2025-12-09",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-95",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-95/"
},
{
"published_at": "2025-12-09",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-96",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/"
}
]
}
CERTFR-2025-AVI-1087
Vulnerability from certfr_avis - Published: 2025-12-10 - Updated: 2025-12-10
De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un contournement de la politique de sécurité.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Mozilla | Firefox ESR | Firefox ESR versions antérieures à 115.31 | ||
| Mozilla | Firefox ESR | Firefox ESR versions antérieures à 140.6 | ||
| Mozilla | Firefox | Firefox versions antérieures à 146 | ||
| Mozilla | Thunderbird | Thunderbird versions antérieures à 146 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Firefox ESR versions ant\u00e9rieures \u00e0 115.31",
"product": {
"name": "Firefox ESR",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox ESR versions ant\u00e9rieures \u00e0 140.6",
"product": {
"name": "Firefox ESR",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox versions ant\u00e9rieures \u00e0 146",
"product": {
"name": "Firefox",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Thunderbird versions ant\u00e9rieures \u00e0 146",
"product": {
"name": "Thunderbird",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-14321",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14321"
},
{
"name": "CVE-2025-14330",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14330"
},
{
"name": "CVE-2025-14333",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14333"
},
{
"name": "CVE-2025-14331",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14331"
},
{
"name": "CVE-2025-14323",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14323"
},
{
"name": "CVE-2025-14329",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14329"
},
{
"name": "CVE-2025-14327",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14327"
},
{
"name": "CVE-2025-14328",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14328"
},
{
"name": "CVE-2025-14325",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14325"
},
{
"name": "CVE-2025-14326",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14326"
},
{
"name": "CVE-2025-14322",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14322"
},
{
"name": "CVE-2025-14332",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14332"
},
{
"name": "CVE-2025-14324",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14324"
}
],
"initial_release_date": "2025-12-10T00:00:00",
"last_revision_date": "2025-12-10T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1087",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-10T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Mozilla. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un contournement de la politique de s\u00e9curit\u00e9.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Mozilla",
"vendor_advisories": [
{
"published_at": "2025-12-09",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-92",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-92/"
},
{
"published_at": "2025-12-09",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-93",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-93/"
},
{
"published_at": "2025-12-09",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-94",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-94/"
}
]
}
CERTFR-2025-AVI-0991
Vulnerability from certfr_avis - Published: 2025-11-12 - Updated: 2025-11-12
De multiples vulnérabilités ont été découvertes dans les produits Mozilla. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Mozilla | Firefox | Firefox versions antérieures à 145 | ||
| Mozilla | Firefox ESR | Firefox ESR versions antérieures à 115.30 | ||
| Mozilla | Firefox ESR | Firefox ESR versions antérieures à 140.5 | ||
| Mozilla | Thunderbird | Thunderbird versions antérieures à 145 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Firefox versions ant\u00e9rieures \u00e0 145",
"product": {
"name": "Firefox",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox ESR versions ant\u00e9rieures \u00e0 115.30",
"product": {
"name": "Firefox ESR",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Firefox ESR versions ant\u00e9rieures \u00e0 140.5",
"product": {
"name": "Firefox ESR",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Thunderbird versions ant\u00e9rieures \u00e0 145",
"product": {
"name": "Thunderbird",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-13024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13024"
},
{
"name": "CVE-2025-13022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13022"
},
{
"name": "CVE-2025-13019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13019"
},
{
"name": "CVE-2025-13016",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13016"
},
{
"name": "CVE-2025-13023",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13023"
},
{
"name": "CVE-2025-13018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13018"
},
{
"name": "CVE-2025-13012",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13012"
},
{
"name": "CVE-2025-13020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13020"
},
{
"name": "CVE-2025-13021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13021"
},
{
"name": "CVE-2025-13017",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13017"
},
{
"name": "CVE-2025-13025",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13025"
},
{
"name": "CVE-2025-13015",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13015"
},
{
"name": "CVE-2025-13014",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13014"
},
{
"name": "CVE-2025-13027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13027"
},
{
"name": "CVE-2025-13026",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13026"
},
{
"name": "CVE-2025-13013",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13013"
}
],
"initial_release_date": "2025-11-12T00:00:00",
"last_revision_date": "2025-11-12T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0991",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-12T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Mozilla. Elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Mozilla",
"vendor_advisories": [
{
"published_at": "2025-11-11",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-88",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/"
},
{
"published_at": "2025-11-11",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-87",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/"
},
{
"published_at": "2025-11-11",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-89",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-89/"
}
]
}
CVE-2025-14330 (GCVE-0-2025-14330)
Vulnerability from nvd – Published: 2025-12-09 13:38 – Updated: 2025-12-11 20:38
VLAI?
Title
JIT miscompilation in the JavaScript Engine: JIT component
Summary
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
9.8 (Critical)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Rong Bao
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T20:35:46.407561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-686",
"description": "CWE-686 Function Call With Incorrect Argument Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:38:25.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rong Bao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:21.966Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1997503"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "JIT miscompilation in the JavaScript Engine: JIT component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14330",
"datePublished": "2025-12-09T13:38:05.995Z",
"dateReserved": "2025-12-09T13:38:05.412Z",
"dateUpdated": "2025-12-11T20:38:25.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14329 (GCVE-0-2025-14329)
Vulnerability from nvd – Published: 2025-12-09 13:38 – Updated: 2025-12-10 14:32
VLAI?
Title
Privilege escalation in the Netmonitor component
Summary
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
satrya wira yudha
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14329",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:15.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "satrya wira yudha"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege escalation in the Netmonitor component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Privilege escalation in the Netmonitor component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:21.549Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1997018"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Privilege escalation in the Netmonitor component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14329",
"datePublished": "2025-12-09T13:38:04.796Z",
"dateReserved": "2025-12-09T13:38:04.223Z",
"dateUpdated": "2025-12-10T14:32:21.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14325 (GCVE-0-2025-14325)
Vulnerability from nvd – Published: 2025-12-09 13:37 – Updated: 2025-12-10 14:32
VLAI?
Title
JIT miscompilation in the JavaScript Engine: JIT component
Summary
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
7.3 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
zx
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14325",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T17:04:03.255293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T17:04:06.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "zx"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:20.720Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1998050"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "JIT miscompilation in the JavaScript Engine: JIT component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14325",
"datePublished": "2025-12-09T13:37:58.843Z",
"dateReserved": "2025-12-09T13:37:58.128Z",
"dateUpdated": "2025-12-10T14:32:20.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14333 (GCVE-0-2025-14333)
Vulnerability from nvd – Published: 2025-12-09 13:38 – Updated: 2025-12-10 14:32
VLAI?
Title
Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146
Summary
Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Maurice Dauer and the Mozilla Fuzzing Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14333",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:12.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maurice Dauer and the Mozilla Fuzzing Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:22.749Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"name": "Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1966501%2C1997639"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14333",
"datePublished": "2025-12-09T13:38:09.979Z",
"dateReserved": "2025-12-09T13:38:09.392Z",
"dateUpdated": "2025-12-10T14:32:22.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14331 (GCVE-0-2025-14331)
Vulnerability from nvd – Published: 2025-12-09 13:38 – Updated: 2025-12-10 14:32
VLAI?
Title
Same-origin policy bypass in the Request Handling component
Summary
Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
6.5 (Medium)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
Igor Morgenstern
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T16:59:10.319738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:59:50.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "115.31",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Igor Morgenstern"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:22.408Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2000218"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-93/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Same-origin policy bypass in the Request Handling component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14331",
"datePublished": "2025-12-09T13:38:07.191Z",
"dateReserved": "2025-12-09T13:38:06.607Z",
"dateUpdated": "2025-12-10T14:32:22.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14328 (GCVE-0-2025-14328)
Vulnerability from nvd – Published: 2025-12-09 13:38 – Updated: 2025-12-10 14:32
VLAI?
Title
Privilege escalation in the Netmonitor component
Summary
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Ameen Basha M K
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:16.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ameen Basha M K"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege escalation in the Netmonitor component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Privilege escalation in the Netmonitor component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:21.090Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1996761"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Privilege escalation in the Netmonitor component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14328",
"datePublished": "2025-12-09T13:38:03.509Z",
"dateReserved": "2025-12-09T13:38:02.928Z",
"dateUpdated": "2025-12-10T14:32:21.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14323 (GCVE-0-2025-14323)
Vulnerability from nvd – Published: 2025-12-09 13:37 – Updated: 2025-12-10 14:32
VLAI?
Title
Privilege escalation in the DOM: Notifications component
Summary
Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
tiebuchen
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:11.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "115.31",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "tiebuchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:19.864Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1996555"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-93/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Privilege escalation in the DOM: Notifications component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14323",
"datePublished": "2025-12-09T13:37:56.358Z",
"dateReserved": "2025-12-09T13:37:55.768Z",
"dateUpdated": "2025-12-10T14:32:19.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14324 (GCVE-0-2025-14324)
Vulnerability from nvd – Published: 2025-12-09 13:37 – Updated: 2025-12-11 20:03
VLAI?
Title
JIT miscompilation in the JavaScript Engine: JIT component
Summary
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
9.8 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
Lingming Zhang
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T20:01:17.895694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:03:10.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "115.31",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Lingming Zhang"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:20.312Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1996840"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-93/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "JIT miscompilation in the JavaScript Engine: JIT component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14324",
"datePublished": "2025-12-09T13:37:57.533Z",
"dateReserved": "2025-12-09T13:37:56.958Z",
"dateUpdated": "2025-12-11T20:03:10.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14322 (GCVE-0-2025-14322)
Vulnerability from nvd – Published: 2025-12-09 13:37 – Updated: 2025-12-10 14:32
VLAI?
Title
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
Summary
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
Oskar L
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:17.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "115.31",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Oskar L"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:19.512Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1996473"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-93/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14322",
"datePublished": "2025-12-09T13:37:55.159Z",
"dateReserved": "2025-12-09T13:37:54.554Z",
"dateUpdated": "2025-12-10T14:32:19.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14321 (GCVE-0-2025-14321)
Vulnerability from nvd – Published: 2025-12-09 13:37 – Updated: 2025-12-11 20:36
VLAI?
Title
Use-after-free in the WebRTC: Signaling component
Summary
Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
9.8 (Critical)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Igor Morgenstern
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T19:36:51.527373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:36:32.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Igor Morgenstern"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:18.975Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992760"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Use-after-free in the WebRTC: Signaling component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14321",
"datePublished": "2025-12-09T13:37:53.872Z",
"dateReserved": "2025-12-09T13:37:53.205Z",
"dateUpdated": "2025-12-11T20:36:32.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13020 (GCVE-0-2025-13020)
Vulnerability from nvd – Published: 2025-11-11 15:47 – Updated: 2025-11-25 14:47
VLAI?
Title
Use-after-free in the WebRTC: Audio/Video component
Summary
Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Severity ?
8.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 145
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Andreas Pehrson
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:56:55.388656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:47:09.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andreas Pehrson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"value": "Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T19:08:03.644Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1995686"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Use-after-free in the WebRTC: Audio/Video component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13020",
"datePublished": "2025-11-11T15:47:17.203Z",
"dateReserved": "2025-11-11T15:12:22.873Z",
"dateUpdated": "2025-11-25T14:47:09.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13019 (GCVE-0-2025-13019)
Vulnerability from nvd – Published: 2025-11-11 15:47 – Updated: 2025-11-25 14:47
VLAI?
Title
Same-origin policy bypass in the DOM: Workers component
Summary
Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Severity ?
8.1 (High)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 145
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Oskar L
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:59:56.437129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942 Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:47:26.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Oskar L"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"value": "Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T19:08:00.672Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1988412"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Same-origin policy bypass in the DOM: Workers component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13019",
"datePublished": "2025-11-11T15:47:16.759Z",
"dateReserved": "2025-11-11T15:12:20.399Z",
"dateUpdated": "2025-11-25T14:47:26.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13018 (GCVE-0-2025-13018)
Vulnerability from nvd – Published: 2025-11-11 15:47 – Updated: 2025-11-25 14:48
VLAI?
Title
Mitigation bypass in the DOM: Security component
Summary
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Severity ?
8.1 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 145
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Daniel Veditz
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T15:10:48.076563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:48:17.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Daniel Veditz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"value": "Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T19:07:59.216Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984940"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Mitigation bypass in the DOM: Security component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13018",
"datePublished": "2025-11-11T15:47:16.458Z",
"dateReserved": "2025-11-11T15:12:17.945Z",
"dateUpdated": "2025-11-25T14:48:17.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14333 (GCVE-0-2025-14333)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:38 – Updated: 2025-12-10 14:32
VLAI?
Title
Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146
Summary
Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
8.1 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Maurice Dauer and the Mozilla Fuzzing Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14333",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:12.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Maurice Dauer and the Mozilla Fuzzing Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:22.749Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"name": "Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1966501%2C1997639"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14333",
"datePublished": "2025-12-09T13:38:09.979Z",
"dateReserved": "2025-12-09T13:38:09.392Z",
"dateUpdated": "2025-12-10T14:32:22.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14331 (GCVE-0-2025-14331)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:38 – Updated: 2025-12-10 14:32
VLAI?
Title
Same-origin policy bypass in the Request Handling component
Summary
Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
6.5 (Medium)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
Igor Morgenstern
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14331",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T16:59:10.319738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346 Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T16:59:50.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "115.31",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Igor Morgenstern"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:22.408Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2000218"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-93/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Same-origin policy bypass in the Request Handling component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14331",
"datePublished": "2025-12-09T13:38:07.191Z",
"dateReserved": "2025-12-09T13:38:06.607Z",
"dateUpdated": "2025-12-10T14:32:22.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14330 (GCVE-0-2025-14330)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:38 – Updated: 2025-12-11 20:38
VLAI?
Title
JIT miscompilation in the JavaScript Engine: JIT component
Summary
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
9.8 (Critical)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Rong Bao
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T20:35:46.407561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-686",
"description": "CWE-686 Function Call With Incorrect Argument Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:38:25.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Rong Bao"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:21.966Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1997503"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "JIT miscompilation in the JavaScript Engine: JIT component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14330",
"datePublished": "2025-12-09T13:38:05.995Z",
"dateReserved": "2025-12-09T13:38:05.412Z",
"dateUpdated": "2025-12-11T20:38:25.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14329 (GCVE-0-2025-14329)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:38 – Updated: 2025-12-10 14:32
VLAI?
Title
Privilege escalation in the Netmonitor component
Summary
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
satrya wira yudha
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14329",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:15.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "satrya wira yudha"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege escalation in the Netmonitor component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Privilege escalation in the Netmonitor component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:21.549Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1997018"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Privilege escalation in the Netmonitor component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14329",
"datePublished": "2025-12-09T13:38:04.796Z",
"dateReserved": "2025-12-09T13:38:04.223Z",
"dateUpdated": "2025-12-10T14:32:21.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14328 (GCVE-0-2025-14328)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:38 – Updated: 2025-12-10 14:32
VLAI?
Title
Privilege escalation in the Netmonitor component
Summary
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Ameen Basha M K
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14328",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:16.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ameen Basha M K"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege escalation in the Netmonitor component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Privilege escalation in the Netmonitor component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:21.090Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1996761"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Privilege escalation in the Netmonitor component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14328",
"datePublished": "2025-12-09T13:38:03.509Z",
"dateReserved": "2025-12-09T13:38:02.928Z",
"dateUpdated": "2025-12-10T14:32:21.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14325 (GCVE-0-2025-14325)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:37 – Updated: 2025-12-10 14:32
VLAI?
Title
JIT miscompilation in the JavaScript Engine: JIT component
Summary
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
7.3 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
zx
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14325",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T17:04:03.255293Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T17:04:06.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "zx"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:20.720Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1998050"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "JIT miscompilation in the JavaScript Engine: JIT component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14325",
"datePublished": "2025-12-09T13:37:58.843Z",
"dateReserved": "2025-12-09T13:37:58.128Z",
"dateUpdated": "2025-12-10T14:32:20.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14324 (GCVE-0-2025-14324)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:37 – Updated: 2025-12-11 20:03
VLAI?
Title
JIT miscompilation in the JavaScript Engine: JIT component
Summary
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
9.8 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
Lingming Zhang
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T20:01:17.895694Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:03:10.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "115.31",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Lingming Zhang"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:20.312Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1996840"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-93/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "JIT miscompilation in the JavaScript Engine: JIT component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14324",
"datePublished": "2025-12-09T13:37:57.533Z",
"dateReserved": "2025-12-09T13:37:56.958Z",
"dateUpdated": "2025-12-11T20:03:10.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14323 (GCVE-0-2025-14323)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:37 – Updated: 2025-12-10 14:32
VLAI?
Title
Privilege escalation in the DOM: Notifications component
Summary
Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
tiebuchen
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:11.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "115.31",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "tiebuchen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Privilege escalation in the DOM: Notifications component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:19.864Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1996555"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-93/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Privilege escalation in the DOM: Notifications component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14323",
"datePublished": "2025-12-09T13:37:56.358Z",
"dateReserved": "2025-12-09T13:37:55.768Z",
"dateUpdated": "2025-12-10T14:32:19.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14322 (GCVE-0-2025-14322)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:37 – Updated: 2025-12-10 14:32
VLAI?
Title
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component
Summary
Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
||||||||||||||||||||||
|
||||||||||||||||||||||||
Credits
Oskar L
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14322",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T04:57:17.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "115.31",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Oskar L"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 115.31, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:19.512Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1996473"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-93/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14322",
"datePublished": "2025-12-09T13:37:55.159Z",
"dateReserved": "2025-12-09T13:37:54.554Z",
"dateUpdated": "2025-12-10T14:32:19.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14321 (GCVE-0-2025-14321)
Vulnerability from cvelistv5 – Published: 2025-12-09 13:37 – Updated: 2025-12-11 20:36
VLAI?
Title
Use-after-free in the WebRTC: Signaling component
Summary
Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
Severity ?
9.8 (Critical)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 146
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Igor Morgenstern
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14321",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-11T19:36:51.527373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-11T20:36:32.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "146",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Igor Morgenstern"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"value": "Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox \u003c 146, Firefox ESR \u003c 140.6, Thunderbird \u003c 146, and Thunderbird \u003c 140.6."
}
],
"providerMetadata": {
"dateUpdated": "2025-12-10T14:32:18.975Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992760"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/"
}
],
"title": "Use-after-free in the WebRTC: Signaling component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-14321",
"datePublished": "2025-12-09T13:37:53.872Z",
"dateReserved": "2025-12-09T13:37:53.205Z",
"dateUpdated": "2025-12-11T20:36:32.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13020 (GCVE-0-2025-13020)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2025-11-25 14:47
VLAI?
Title
Use-after-free in the WebRTC: Audio/Video component
Summary
Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Severity ?
8.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 145
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Andreas Pehrson
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:56:55.388656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:47:09.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andreas Pehrson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"value": "Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T19:08:03.644Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1995686"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Use-after-free in the WebRTC: Audio/Video component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13020",
"datePublished": "2025-11-11T15:47:17.203Z",
"dateReserved": "2025-11-11T15:12:22.873Z",
"dateUpdated": "2025-11-25T14:47:09.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13019 (GCVE-0-2025-13019)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2025-11-25 14:47
VLAI?
Title
Same-origin policy bypass in the DOM: Workers component
Summary
Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Severity ?
8.1 (High)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 145
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Oskar L
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:59:56.437129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942 Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:47:26.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Oskar L"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"value": "Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T19:08:00.672Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1988412"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Same-origin policy bypass in the DOM: Workers component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13019",
"datePublished": "2025-11-11T15:47:16.759Z",
"dateReserved": "2025-11-11T15:12:20.399Z",
"dateUpdated": "2025-11-25T14:47:26.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13018 (GCVE-0-2025-13018)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2025-11-25 14:48
VLAI?
Title
Mitigation bypass in the DOM: Security component
Summary
Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
Severity ?
8.1 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 145
(custom)
|
|||||||||||||||||
|
|||||||||||||||||||
Credits
Daniel Veditz
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T15:10:48.076563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:48:17.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "145",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "140.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Daniel Veditz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"value": "Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox \u003c 145, Firefox ESR \u003c 140.5, Thunderbird \u003c 145, and Thunderbird \u003c 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T19:07:59.216Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984940"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Mitigation bypass in the DOM: Security component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13018",
"datePublished": "2025-11-11T15:47:16.458Z",
"dateReserved": "2025-11-11T15:12:17.945Z",
"dateUpdated": "2025-11-25T14:48:17.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}