EUVD-2025-18100
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
An integer overflow was present in `OrderedHashTable` used by the JavaScript engine This vulnerability affects Firefox < 139.0.4.
Analysis
An integer overflow vulnerability exists in the OrderedHashTable component of Firefox's JavaScript engine, allowing remote attackers to achieve arbitrary code execution without requiring user interaction or elevated privileges. This critical flaw affects Firefox versions prior to 139.0.4 and carries a maximum CVSS score of 9.8, indicating severe real-world risk with network-based attack vectors requiring no user interaction.
Technical Context
The vulnerability resides in OrderedHashTable, a core data structure within the SpiderMonkey JavaScript engine used by Firefox. Integer overflow vulnerabilities (CWE-190) in hash table implementations can lead to memory corruption when size calculations fail to properly validate boundaries during allocation or indexing operations. When an integer overflow occurs during size computation, subsequent memory operations may write beyond allocated buffer boundaries or read from unintended memory locations, compromising memory safety guarantees. This affects CPE:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* with versions below 139.0.4 being vulnerable. The OrderedHashTable is fundamental to JavaScript object property storage, making it a high-impact target in the engine's execution path.
Affected Products
Mozilla Firefox (Firefox < 139.0.4)
Remediation
- priority: CRITICAL; action: Immediate patching; details: Update Firefox to version 139.0.4 or later. Users can enable automatic updates in Firefox preferences (Settings > General > Firefox Updates) or manually download the latest version from mozilla.org. - priority: HIGH; action: Organizational deployment; details: Enterprise administrators should deploy Firefox 139.0.4+ through centralized update mechanisms (ADMX templates, MDM solutions) to all endpoints immediately. Do not delay for testing cycles given the critical CVSS and network-based attack vector. - priority: MEDIUM; action: Defense-in-depth; details: Until patches can be deployed universally, consider supplementary mitigations: disable JavaScript in Firefox via about:config (javascript.enabled = false) for high-risk users, implement content security policies on web servers, deploy browser isolation technologies for sensitive operations, monitor for suspicious memory access patterns in web logs. - priority: MEDIUM; action: Monitoring; details: Monitor Firefox crash reports and system logs for exploitation indicators (segmentation faults in spidermonkey, unexpected code execution). Implement EDR/XDR solutions with JavaScript execution monitoring capabilities.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | needs-triage | - |
| focal | DNE | - |
| questing | not-affected | code not present |
| Release | Status | Version |
|---|---|---|
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | needs-triage | - |
| jammy | not-affected | code not present |
| focal | DNE | - |
| questing | not-affected | code not present |
| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| bionic | ignored | - |
| focal | ignored | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| focal | ignored | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | - |
| noble | ignored | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | ignored | - |
| oracular | ignored | - |
| plucky | ignored | - |
| upstream | needs-triage | - |
| questing | DNE | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| sid | fixed | 148.0.2-1 | - |
| (unstable) | fixed | 139.0.4-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today