CVE-2025-11711

MEDIUM
2025-10-14 [email protected]
Mozilla Information Disclosure Thunderbird Redhat Suse
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:44 vuln.today

DescriptionNVD

There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

AnalysisAI

Modify read-only JavaScript Object properties in Firefox and Thunderbird via crafted web content, allowing attackers to bypass property immutability protections and alter application state. Affects Firefox versions below 144, Firefox ESR below 115.29 and 140.4, Thunderbird below 144 and 140.4. Requires user interaction (malicious website visit) but no authentication. CVSS 6.5 reflects high integrity impact with user-interaction requirement; no evidence of active exploitation or public exploit code at time of analysis.

Technical ContextAI

The vulnerability exists in the JavaScript engine's object property handling, specifically in the mechanisms that enforce read-only (non-writable) property descriptors defined in the ECMAScript specification. JavaScript objects support property descriptors with writable flags that prevent modification of critical properties; this vulnerability bypasses those protections through an unspecified method. The flaw is classified under CWE-591 (Sensitive Data Exposure via Property Manipulation), indicating improper access control on object properties that should be immutable. The attack surface spans all JavaScript execution contexts in Firefox and Thunderbird, including script execution triggered by visiting hostile web pages or processing untrusted content.

RemediationAI

Upgrade Firefox to version 144 or later (standard release), Firefox ESR to 115.29 or later (ESR 115 track) or 140.4 or later (ESR 140 track). Upgrade Thunderbird to version 144 or later (standard release) or 140.4 or later (ESR 140 track). Vendor-released patches are available via Mozilla's official distribution channels and security advisories (https://www.mozilla.org/security/advisories/mfsa2025-81/, mfsa2025-82, mfsa2025-83, mfsa2025-84, mfsa2025-85). Users unable to patch immediately should avoid visiting untrusted websites and disable JavaScript execution in high-risk contexts if feasible, though this is not a practical workaround for standard users. Linux distributions including Debian have released package updates (per debian-lts-announce references).

Vendor StatusVendor

Share

CVE-2025-11711 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy