Insufficient Certificate Length Validation in Mozilla Products
CVE-2025-1014

8.8HIGH

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 4 February 2025

Summary

This vulnerability arises from the failure to validate certificate lengths when added to the certificate store in Mozilla products. Trusted data should ideally be checked thoroughly; however, in this case, the lack of proper length validation led to potential security risks for users operating versions of Firefox and Thunderbird below the specified thresholds. Users are advised to upgrade their software to mitigate potential exploitation.

Affected Version(s)

Firefox < 135

Firefox ESR < 128.7

Thunderbird < 128.7

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1940804

https://www.mozilla.org/security/advisories/mfsa2025-07/

https://www.mozilla.org/security/advisories/mfsa2025-09/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Feb 4, 2025

Credit

Theemathas