Login Sign Up

CVE-2025-1014

8.8 HIGH

📋 TL;DR

A certificate validation vulnerability in Mozilla products allows improper certificate length checking when adding certificates to a certificate store. This could potentially enable certificate spoofing or man-in-the-middle attacks. Affects Firefox, Firefox ESR, and Thunderbird users running vulnerable versions.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, Thunderbird < 135
Operating Systems: All platforms supported by affected Mozilla products
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects certificate store operations with trusted data sources.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could spoof trusted certificates, enabling man-in-the-middle attacks to intercept and modify encrypted communications, potentially leading to credential theft or data compromise.

🟠

Likely Case

Limited impact since only trusted data was processed in practice, but could still enable targeted attacks against specific users or organizations.

🟢

If Mitigated

With proper network controls and certificate pinning, impact is minimal as the vulnerability requires specific conditions to be exploitable.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific conditions and access to manipulate certificate data being added to stores.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 135+, Firefox ESR 128.7+, Thunderbird 128.7+, Thunderbird 135+

Vendor Advisory: https://www.mozilla.org/security/advisories/

Restart Required: Yes

Instructions:

1. Open affected application 2. Go to Help > About 3. Allow automatic update or download latest version from mozilla.org 4. Restart application after update

🔧 Temporary Workarounds

Disable automatic certificate trust

all

Prevent automatic addition of certificates to trusted stores

🧯 If You Can't Patch

  • Implement network-level certificate pinning
  • Use application allowlisting to restrict vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check application version in Help > About menu

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Verify version is at or above patched versions: Firefox 135+, Firefox ESR 128.7+, Thunderbird 128.7+, Thunderbird 135+

📡 Detection & Monitoring

Log Indicators:

  • Unusual certificate validation errors
  • Multiple certificate store modification attempts

Network Indicators:

  • Unexpected certificate changes in TLS handshakes
  • Certificate chain validation anomalies

SIEM Query:

source="*firefox*" OR source="*thunderbird*" AND (event="certificate_error" OR event="cert_store_modification")

📊 Metadata

CVE ID: CVE-2025-1014
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-295
EPSS Score: 0.21% exploit probability (43th percentile)
Published: February 4, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1014, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)