How to fix CVE-2025-14325?

Within 24 hours: Inventory all Firefox and Thunderbird instances across the organization and identify versions below the patched releases. Within 7 days: Deploy Firefox 146 or Firefox ESR 140.6 to all affected systems; deploy Thunderbird 146 or Thunderbird ESR 140.6 to all affected endpoints. Within 30 days: Verify patch deployment completion through asset management systems and confirm no unpatched instances remain in production or user environments.

Is Memory Corruption affected by CVE-2025-14325?

A high-severity JIT compiler vulnerability in Mozilla Firefox and Thunderbird allows remote code execution without user authentication, affecting all versions below Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird ESR 140.6.

CVE-2025-14325

HIGH

2025-12-09 [email protected]

Memory Corruption Mozilla Information Disclosure Thunderbird Redhat Suse

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Apr 13, 2026 - 16:10 vuln.today

DescriptionNVD

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

AnalysisAI

JIT compiler miscompilation in Mozilla Firefox and Thunderbird's JavaScript engine enables remote attackers to achieve limited confidentiality, integrity, and availability impact without authentication or user interaction. Affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird ESR < 140.6. Vendor-released patches available in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6. No public exploit identified at time of analysis, with EPSS score of 0.11% (30th percentile) indicating low predicted exploitation probability.

Technical ContextAI

This vulnerability affects the Just-In-Time (JIT) compiler component of Mozilla's JavaScript engine (SpiderMonkey). JIT compilers optimize JavaScript execution by translating hot code paths to native machine code at runtime. The issue stems from CWE-843 (Access of Resource Using Incompatible Type or Type Confusion), where the JIT compiler generates incorrect native code due to type miscompilation. When JavaScript code is JIT-compiled with incorrect type assumptions, the resulting machine code may access memory with incompatible types, leading to memory corruption. This can occur during speculative optimization when the JIT compiler makes incorrect assumptions about variable types or object layouts, then fails to properly guard against violations of those assumptions. The vulnerability impacts both Firefox and Thunderbird products across standard and Extended Support Release (ESR) channels, affecting the core JavaScript execution engine shared between these applications.

RemediationAI

Vendor-released patches are available: upgrade Firefox standard release to version 146 or later, Firefox ESR to version 140.6 or later, Thunderbird standard release to version 146 or later, and Thunderbird ESR to version 140.6 or later. Mozilla has addressed the JIT miscompilation issue in these versions according to security advisories MFSA2025-92, MFSA2025-94, MFSA2025-95, and MFSA2025-96. Organizations should deploy updates through existing patch management processes, prioritizing internet-facing systems and high-risk user populations. No effective workarounds exist short of disabling JavaScript entirely, which would break core browser and email client functionality. For Firefox deployments, administrators can accelerate updates using enterprise policy controls or Mozilla's deployment tools. Verify successful patching by checking Help > About Firefox or Help > About Thunderbird to confirm version numbers meet or exceed the fixed releases. Additional vulnerability details are documented in Mozilla Bugzilla report 1998050 at https://bugzilla.mozilla.org/show_bug.cgi?id=1998050.

Vendor StatusVendor

CVE-2025-14325 vulnerability details – vuln.today

Back