Cyber Resilience

CVE-2025-1014

High

Published: 04 February 2025

Published
04 February 2025
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1014 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Install Root Certificate (T1553.004); ranked at the 43.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-1014 involves improper validation of certificate length when certificates are added to the certificate store in Mozilla products. Although only trusted data was processed in practice, this flaw affects Firefox versions prior to 135, Firefox ESR prior to 128.7, Thunderbird prior to 128.7, and Thunderbird prior to 135. It is classified under CWE-295 (Improper Certificate Validation) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability with low attack complexity and no privileges required, though user interaction is necessary. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of integrity, and disruption of availability.

Mozilla advisories detail the fix applied in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135. Security practitioners should prioritize updating to these patched versions. Additional technical details are available in Mozilla's MFSA2025-07, MFSA2025-09, MFSA2025-10, MFSA2025-11 advisories and Bugzilla bug 1940804.

EU & UK References

Vulnerability details

Certificate length was not properly checked when added to a certificate store. In practice only trusted data was processed. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1553.004 Install Root Certificate Defense Impairment
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Why these techniques?

Improper certificate length validation during addition to the store directly facilitates rogue certificate installation, subverting trust controls.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8962Same product: Mozilla Firefox
CVE-2026-4720Same product: Mozilla Firefox
CVE-2025-1016Same product: Mozilla Firefox
CVE-2026-4689Same product: Mozilla Firefox
CVE-2026-6759Same product: Mozilla Firefox
CVE-2026-0878Same product: Mozilla Firefox
CVE-2026-6773Same product: Mozilla Firefox
CVE-2026-6763Same product: Mozilla Firefox
CVE-2026-2792Same product: Mozilla Firefox
CVE-2025-9185Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 128.7.0 · ≤ 135.0
mozilla
thunderbird
128.0.1 — 128.7.0 · 131.0 — 135.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs like certificate length when adding to the certificate store, addressing the core improper validation flaw.

prevent

Mandates proper management and validation requirements for PKI certificates, preventing acceptance of improperly formatted certificates into the store.

prevent

Requires timely identification, reporting, and correction of flaws such as this certificate validation vulnerability via patching to fixed versions.

References