CVE-2025-11710: 
NixOS vulnerability analysis and mitigation

CVE-2025-11710 is a high-severity vulnerability discovered in Mozilla products that was disclosed on October 14, 2025. The vulnerability affects multiple versions of Mozilla products including Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. The vulnerability was discovered by security researcher Oskar L (Mozilla Advisory).

The vulnerability involves a cross-process information leak where a compromised web process using malicious IPC (Inter-Process Communication) messages could cause the privileged browser process to reveal blocks of its memory to the compromised process. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitation with low attack complexity and no required privileges or user interaction (NVD).

The vulnerability allows unauthorized access to privileged browser process memory, potentially exposing sensitive information to malicious actors. Given the CRITICAL severity rating and the high impact scores for confidentiality, integrity, and availability, this vulnerability could potentially lead to significant security breaches in affected systems (CISA-ADP).

Mozilla has released security updates to address this vulnerability. Users should upgrade to Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, or Thunderbird 140.4, depending on their product version. These updates contain fixes for the IPC message vulnerability along with other security improvements (Mozilla Advisory).