Login Sign Up

CVE-2025-14325

7.3 HIGH
Remote Code Execution Denial of Service

📋 TL;DR

A JIT (Just-In-Time) compilation vulnerability in Mozilla's JavaScript engine allows memory corruption through miscompiled code. This affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. Attackers could exploit this to execute arbitrary code or cause denial of service.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, Thunderbird < 140.6
Operating Systems: Windows, Linux, macOS, All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. JavaScript must be enabled (default).

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation.

🟠

Likely Case

Browser/application crash (denial of service) or limited memory corruption.

🟢

If Mitigated

No impact if patched; sandboxing may limit exploit effectiveness.

🌐 Internet-Facing: HIGH - Web browsers process untrusted content from the internet.
🏢 Internal Only: MEDIUM - Internal web applications could still trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires JavaScript execution; no authentication needed. Complexity depends on bypassing mitigations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 146+, Firefox ESR 140.6+, Thunderbird 146+, Thunderbird 140.6+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-92/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Go to Menu > Help > About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by blocking JavaScript execution.

about:config > javascript.enabled = false

Use Content Security Policy

all

Restrict JavaScript sources to trusted domains.

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

  • Restrict application to trusted websites only.
  • Implement network segmentation to limit browser access to sensitive systems.

🔍 How to Verify

Check if Vulnerable:

Check version in application: Menu > Help > About Firefox/Thunderbird.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is Firefox ≥146, Firefox ESR ≥140.6, Thunderbird ≥146, or Thunderbird ≥140.6.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory access errors
  • Unexpected process termination

Network Indicators:

  • Suspicious JavaScript payloads in web traffic

SIEM Query:

source="firefox.log" OR source="thunderbird.log" AND (event="crash" OR event="segfault")

📊 Metadata

CVE ID: CVE-2025-14325
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-843
EPSS Score: 0.09% exploit probability (24.7th percentile)
Published: December 9, 2025
Last Updated: January 7, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14325, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2020-25575 9.8

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw...

Same vulnerability type (CWE-843)