Insufficient Certificate Length Validation in Mozilla Products
CVE-2025-1014

Currently unrated

Key Information:

Vendor
Mozilla
Status
Firefox
Firefox Esr
Thunderbird
Vendor
CVE Published:
4 February 2025

Summary

This vulnerability arises from the failure to validate certificate lengths when added to the certificate store in Mozilla products. Trusted data should ideally be checked thoroughly; however, in this case, the lack of proper length validation led to potential security risks for users operating versions of Firefox and Thunderbird below the specified thresholds. Users are advised to upgrade their software to mitigate potential exploitation.

Affected Version(s)

Firefox < 135

Firefox ESR < 128.7

Thunderbird < 128.7

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1940804
https://www.mozilla.org/security/advisories/mfsa2025-07/
https://www.mozilla.org/security/advisories/mfsa2025-09/

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Theemathas
.