CVE-2025-1014
Published: 04 February 2025
Summary
CVE-2025-1014 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Install Root Certificate (T1553.004); ranked at the 43.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-1014 involves improper validation of certificate length when certificates are added to the certificate store in Mozilla products. Although only trusted data was processed in practice, this flaw affects Firefox versions prior to 135, Firefox ESR prior to 128.7, Thunderbird prior to 128.7, and Thunderbird prior to 135. It is classified under CWE-295 (Improper Certificate Validation) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability with low attack complexity and no privileges required, though user interaction is necessary. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of integrity, and disruption of availability.
Mozilla advisories detail the fix applied in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135. Security practitioners should prioritize updating to these patched versions. Additional technical details are available in Mozilla's MFSA2025-07, MFSA2025-09, MFSA2025-10, MFSA2025-11 advisories and Bugzilla bug 1940804.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1969
Vulnerability details
Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper certificate length validation during addition to the store directly facilitates rogue certificate installation, subverting trust controls.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of information inputs like certificate length when adding to the certificate store, addressing the core improper validation flaw.
Mandates proper management and validation requirements for PKI certificates, preventing acceptance of improperly formatted certificates into the store.
Requires timely identification, reporting, and correction of flaws such as this certificate validation vulnerability via patching to fixed versions.