{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11153", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-09-29T13:22:49.000Z", "datePublished": "2025-09-30T12:49:06.524Z", "dateUpdated": "2026-04-13T14:30:16.322Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "143.0.3", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 143.0.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 143.0.3."}]}], "title": "JIT miscompilation in the JavaScript Engine: JIT component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1987481"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-80/"}], "credits": [{"lang": "en", "value": "Nan Wang"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:16.322Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-10-01T13:29:13.538466Z", "id": "CVE-2025-11153", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:35:33.331Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-11153", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-01T13:29:13.538466Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-01T13:30:18.809Z"}}], "cna": {"title": "JIT miscompilation in the JavaScript Engine: JIT component", "credits": [{"lang": "en", "value": "Nan Wang"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "143.0.3", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1987481"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-80/"}], "descriptions": [{"lang": "en", "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 143.0.3.", "supportingMedia": [{"type": "text/html", "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 143.0.3.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:16.322Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11153", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:30:16.322Z", "dateReserved": "2025-09-29T13:22:49.000Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-09-30T12:49:06.524Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "47232932-B734-4462-8CE1-B7CC32EA9E8E", "versionEndExcluding": "143.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 143.0.3."}, {"lang": "es", "value": "Compilaci\u00f3n JIT incorrecta en el motor JavaScript: componente JIT. Esta vulnerabilidad afecta a Firefox < 143.0.3."}], "id": "CVE-2025-11153", "lastModified": "2026-04-13T15:16:39.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-30T13:15:48.790", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1987481"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-80/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: From CVEorg collector", "id": "2400445", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2400445"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2025-11153", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Under investigation", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Under investigation", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Under investigation", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-30T12:49:06Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-11153\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-11153\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1987481\nhttps://www.mozilla.org/security/advisories/mfsa2025-80/"]}

{"analysis": {"en": {"generated_at": "2026-04-20T21:44:04.465252+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to version 143.0.3 or later", "If an update cannot be applied immediately, configure the browser to block third\u2011party scripts by enabling strict site isolation or applying a content security policy that limits execution of JavaScript from untrusted origins", "Regularly confirm that your system receives Mozilla security updates and monitor Mozilla\u2019s advisories for further mitigation guidance"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All Mozilla Firefox browsers built prior to version 143.0.3 are susceptible, regardless of operating system. The bug affects the JavaScript engine that runs in user\u2011process browsers, so any platform that ships the unpatched Firefox executable is impacted.", "description_and_impact": "A miscompilation in Mozilla Firefox\u2019s JavaScript engine JIT component causes the engine to generate incorrect bytecode. This miscompilation can lead to arbitrary code execution if an attacker supplies specially crafted JavaScript that is executed by the victim\u2019s browser. The weakness is classified as a code injection flaw (CWE\u201194) and provides the attacker with the ability to compromise confidentiality, integrity, and availability on vulnerable systems.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild at present, and the vulnerability is not listed in CISA KEV. Based on the description, the attacker would need to deliver malicious JavaScript to a user\u2019s browser; the most straightforward attack vector appears to be via a compromised or malicious website or email attachment that triggers the JIT compilation process. The exact conditions required for exploitation are not fully detailed, so the risk is considered moderate due to the high severity combined with the low EPSS probability."}}}}, "created": "2025-10-02T08:46:10.331932+00:00", "updated": "2026-04-20T21:45:18.977544+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}