CVE-2025-11714: 
NixOS vulnerability analysis and mitigation

Memory safety vulnerability (CVE-2025-11714) was discovered affecting multiple Mozilla products. The vulnerability was identified in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143, and Thunderbird 143. The issue was disclosed on October 14, 2025, and was discovered by the Mozilla Fuzzing Team (Mozilla Advisory).

The vulnerability involves memory safety bugs that showed evidence of memory corruption. The issue received a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is associated with multiple CWE categories including CWE-125 (Out-of-bounds Read), CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), and CWE-787 (Out-of-bounds Write) (NVD).

The vulnerability could potentially allow attackers to execute arbitrary code if exploited successfully. The affected versions include Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. In Thunderbird specifically, these flaws cannot be exploited through email as scripting is disabled when reading mail, but remain potential risks in browser or browser-like contexts (Mozilla Advisory).

Mozilla has addressed these vulnerabilities by releasing security updates: Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird ESR 140.4. Users are advised to update their installations to these latest versions to mitigate the risk (Mozilla Advisory).