CVE-2025-1014
Published: 04 February 2025
Description
Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Security Summary
CVE-2025-1014 involves improper validation of certificate length when certificates are added to the certificate store in Mozilla products. Although only trusted data was processed in practice, this flaw affects Firefox versions prior to 135, Firefox ESR prior to 128.7, Thunderbird prior to 128.7, and Thunderbird prior to 135. It is classified under CWE-295 (Improper Certificate Validation) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability with low attack complexity and no privileges required, though user interaction is necessary. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of integrity, and disruption of availability.
Mozilla advisories detail the fix applied in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135. Security practitioners should prioritize updating to these patched versions. Additional technical details are available in Mozilla's MFSA2025-07, MFSA2025-09, MFSA2025-10, MFSA2025-11 advisories and Bugzilla bug 1940804.
Details
- CWE(s)