CVE-2025-11712: 
NixOS vulnerability analysis and mitigation

CVE-2025-11712 is a security vulnerability discovered in Mozilla Firefox and Thunderbird browsers that was disclosed on October 14, 2025. The vulnerability affects Firefox versions before 144, Firefox ESR versions before 140.4, and Thunderbird versions before both 144 and 140.4. The issue was discovered by security researcher Masato Kinugawa (Mozilla Advisory).

The vulnerability involves the mishandling of the type attribute in OBJECT tags when processing web resources that are served without a content-type header. This security flaw allows a malicious page to override the default browser behavior when encountering such web resources. The vulnerability has been assigned a CVSS 3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and is classified under CWE-116 (Improper Encoding or Escaping of Output) (NVD).

The primary impact of this vulnerability is that it could contribute to Cross-Site Scripting (XSS) attacks on websites that unsafely serve files without a content-type header. The vulnerability has been rated as having a moderate impact by Mozilla, with potential for compromising user data security through XSS attacks (Mozilla Advisory).

Mozilla has addressed this vulnerability in Firefox 144, Firefox ESR 140.4, and Thunderbird 144. Users are advised to update their installations to these versions or newer to mitigate the risk. The fix has been deployed across all affected products including Firefox for various platforms (x86_64, s390x, ppc64le, aarch64) (Red Hat Advisory).