CVE-2025-14330 – A JIT (Just-In-Time) compilation vulnerability ... (How to Fix)

Q: How do I fix CVE-2025-14330?

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update or download latest version from mozilla.org. 4. Restart application after update.

Q: What is the severity of CVE-2025-14330?

CVE-2025-14330 has a CVSS score of 9.8 (CRITICAL). A JIT (Just-In-Time) compilation vulnerability in the JavaScript engine allows memory corruption when processing malicious JavaScript code. This affects Firefox, Firefox ESR, and Thunderbird users running vulnerable versions. Attackers could exploit this to execute arbitrary code or crash applications.

📋 TL;DR

A JIT (Just-In-Time) compilation vulnerability in the JavaScript engine allows memory corruption when processing malicious JavaScript code. This affects Firefox, Firefox ESR, and Thunderbird users running vulnerable versions. Attackers could exploit this to execute arbitrary code or crash applications.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, Thunderbird < 140.6

Operating Systems: All platforms where affected products run

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Application crash (denial of service) or limited code execution within browser sandbox, potentially leading to data theft or further exploitation.

🟢

If Mitigated

With proper controls like sandboxing and exploit mitigations, impact may be limited to application crash or contained code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires JavaScript execution, which is trivial via web pages or emails. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 146+, Firefox ESR 140.6+, Thunderbird 146+, Thunderbird 140.6+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-92/

Restart Required: Yes

Instructions:

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update or download latest version from mozilla.org. 4. Restart application after update.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents JavaScript execution, blocking exploitation vector but breaking most web functionality.

Use alternative browser/email client

all

Temporarily switch to unaffected applications until patching is complete.

🧯 If You Can't Patch

Isolate affected systems from untrusted networks and internet access
Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check application version in Help > About menu. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version or thunderbird --version on command line

Verify Fix Applied:

Confirm version is at or above patched versions: Firefox 146+, Firefox ESR 140.6+, Thunderbird 146+, Thunderbird 140.6+

📡 Detection & Monitoring

Log Indicators:

Application crash logs with memory corruption errors
Unexpected process termination

Network Indicators:

Suspicious JavaScript delivery via web or email

SIEM Query:

source="*firefox*" OR source="*thunderbird*" AND (event="crash" OR event="segfault")

📊 Metadata

CVE ID: CVE-2025-14330

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 0.07% exploit probability (20.5th percentile)

Published: December 9, 2025

Last Updated: December 11, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1997503 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-92/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-94/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-95/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-96/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14330, you might also want to check these: