Cross-Site Scripting Vulnerability in Firefox and Thunderbird
CVE-2025-11712

Currently unrated

Key Information:

Vendor

Mozilla
Status
Firefox
Firefox Esr
Thunderbird
Vendor
CVE Published:
14 October 2025

What is CVE-2025-11712?

A potential Cross-Site Scripting (XSS) vulnerability arises from a flaw in the handling of OBJECT tag attributes in Firefox and Thunderbird. When a malicious page is encountered, it can exploit the absence of a content-type header in web resources, leading to unsafe behavior. Specifically, this vulnerability allows attackers to manipulate the browser's default processing of such resources, increasing the risk of XSS attacks on websites that improperly serve files. Users of affected versions of Firefox (prior to 144 and ESR prior to 140.4) and Thunderbird (prior to 144 and ESR prior to 140.4) should ensure timely updates to mitigate this security risk.

Affected Version(s)

Firefox < 144

Firefox ESR < 140.4

Thunderbird < 144

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1979536
https://www.mozilla.org/security/advisories/mfsa2025-81/
https://www.mozilla.org/security/advisories/mfsa2025-83/

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Masato Kinugawa
JSON
.
CVE-2025-11712 : Cross-Site Scripting Vulnerability in Firefox and Thunderbird