CVE-2025-14324 – A critical JIT miscompilation vulnerability in ... (How to Fix)

Q: How do I fix CVE-2025-14324?

1. Open browser settings 2. Navigate to 'About Firefox/Thunderbird' 3. Allow automatic update or manually download from mozilla.org 4. Restart browser

Q: What is the severity of CVE-2025-14324?

CVE-2025-14324 has a CVSS score of 9.8 (CRITICAL). A critical JIT miscompilation vulnerability in Firefox's JavaScript engine allows arbitrary code execution when processing malicious JavaScript. This affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. Attackers can exploit this to take full control of affected browsers.

📋 TL;DR

A critical JIT miscompilation vulnerability in Firefox's JavaScript engine allows arbitrary code execution when processing malicious JavaScript. This affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. Attackers can exploit this to take full control of affected browsers.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, Thunderbird < 140.6

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special settings required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within networks.

🟠

Likely Case

Browser compromise allowing session hijacking, credential theft, and malware installation.

🟢

If Mitigated

Limited impact if browser sandboxing works properly, but still potential for data exfiltration.

🌐 Internet-Facing: HIGH - Browser vulnerabilities are directly exposed to internet content.

🏢 Internal Only: MEDIUM - Internal web applications could be used as attack vectors.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

CVSS 9.8 indicates trivial exploitation. While no public PoC exists, similar JIT vulnerabilities are frequently weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 146+, Firefox ESR 115.31+, Firefox ESR 140.6+, Thunderbird 146+, Thunderbird 140.6+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-92/

Restart Required: Yes

Instructions:

1. Open browser settings 2. Navigate to 'About Firefox/Thunderbird' 3. Allow automatic update or manually download from mozilla.org 4. Restart browser

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript execution to prevent exploitation

about:config -> javascript.enabled = false

Enable Enhanced Tracking Protection

all

Blocks known malicious scripts

Settings -> Privacy & Security -> Enhanced Tracking Protection -> Strict

🧯 If You Can't Patch

Network segmentation to isolate vulnerable browsers from critical systems
Implement application allowlisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check browser version in settings: Firefox/Thunderbird -> Help -> About

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is at or above patched versions listed in fix_official

📡 Detection & Monitoring

Log Indicators:

Browser crash reports with JIT-related errors
Unusual JavaScript execution patterns

Network Indicators:

Traffic to known exploit domains
Unusual outbound connections from browsers

SIEM Query:

source="browser_logs" AND (event="crash" AND component="JIT") OR (javascript_execution_anomaly)

📊 Metadata

CVE ID: CVE-2025-14324

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.07% exploit probability (21.7th percentile)

Published: December 9, 2025

Last Updated: December 11, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1996840 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-92/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-93/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-94/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-95/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-96/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14324, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Firefox by Mozilla

Firefox by Mozilla

Firefox by Mozilla

Thunderbird by Mozilla

Thunderbird by Mozilla

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable JavaScript

Enable Enhanced Tracking Protection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities