CVE-2025-11711 — Sensitive Data Storage in Improperly Locked Memory in Mozilla Firefox

CWE-591 — Sensitive Data Storage in Improperly Locked Memory CWE-284 — Improper Access Control12 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 91.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Mozilla Firefox

Timeline

PublishedOct 14

Latest updateFeb 2

Description

There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDmozilla/firefox116.0 — 140.4.0+2

▶NVDmozilla/thunderbird141.0 — 144.0+1

▶Debianmozilla/thunderbird< 1:140.4.0esr-1~deb11u1+3

🔴Vulnerability Details

GHSA

GHSA-xp5g-gff9-qvvx: There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable↗2025-10-14

▶

OSV

CVE-2025-11711: There was a way to change the value of JavaScript Object properties that were supposed to be non-writeable↗2025-10-14

▶

CVEList

Some non-writable Object properties could be modified↗2025-10-14

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Red Hat

thunderbird: firefox: Some non-writable Object properties could be modified↗2025-10-14

▶

Debian

CVE-2025-11711: firefox - There was a way to change the value of JavaScript Object properties that were su...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-84: CVE-2025-11711↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-85: CVE-2025-11711↗

▶