{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14327", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-12-09T13:38:01.463Z", "datePublished": "2025-12-09T13:38:02.260Z", "dateUpdated": "2026-04-13T14:24:13.332Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.7", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "146", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.7", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "146", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7."}]}], "title": "Spoofing issue in the Downloads Panel component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1970743"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "credits": [{"lang": "en", "value": "Caro Kann"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:24:13.332Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-11T20:42:08.839635Z", "id": "CVE-2025-14327", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-11T20:45:35.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-14327", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-11T20:42:08.839635Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-11T20:43:09.255Z"}}], "cna": {"title": "Spoofing issue in the Downloads Panel component", "credits": [{"lang": "en", "value": "Caro Kann"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140.7", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "146", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.7", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "146", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1970743"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.", "supportingMedia": [{"type": "text/html", "value": "Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:24:13.332Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14327", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:24:13.332Z", "dateReserved": "2025-12-09T13:38:01.463Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-12-09T13:38:02.260Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "3EF4CBBC-DCB5-4540-8B8A-91DA759ED631", "versionEndExcluding": "146.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "1CB46BC7-512D-45BF-BCF4-73FDDF94DBAF", "versionEndExcluding": "146.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Downloads Panel component. This vulnerability was fixed in Firefox 146, Thunderbird 146, Firefox ESR 140.7, and Thunderbird 140.7."}], "id": "CVE-2025-14327", "lastModified": "2026-04-13T15:16:45.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-09T16:17:40.227", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1970743"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-92/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-95/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-03/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-05/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-290"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Spoofing issue in the Downloads Panel component", "id": "2420507", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2420507"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-14327", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-12-09T13:38:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-14327\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-14327\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1970743\nhttps://www.mozilla.org/security/advisories/mfsa2025-92/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T21:33:18.835287+00:00", "value": {"mitigation_remediation": ["Update Firefox to version 146 or newer, or to the ESR 140.7 or later release to receive the fix.", "Update Thunderbird to version 146 or newer, or to the ESR 140.7 or later release to receive the fix.", "If an update cannot be applied immediately, temporarily use an alternative browser or email client that does not contain this vulnerability until the official patch is applied."], "summary": {"action": "Patch", "impact": "Spoofing of download metadata in Firefox and Thunderbird"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox releases prior to version 146 and the ESR 140.7 line, and Mozilla Thunderbird releases prior to version 146 and the ESR 140.7 line are affected. The vulnerability resides in the common Downloads Panel component used by both applications.", "description_and_impact": "The flaw allows an attacker to alter the name or other display information of files shown in the Downloads Panel of Firefox and Thunderbird. The vulnerability is categorized as CWE\u2011290, indicating a trust issue where an untrusted source can override trusted UI elements. Because the Downloads Panel is visible to all users, an attacker could mislead a user into interacting with a malicious or incorrectly labeled file, potentially enabling social engineering or further exploitation.", "risk_and_exploitability": "The CVSS score of 7.5 signals a moderate\u2011to\u2011high risk. The EPSS score of less than 1\u202f% indicates that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation is known. The likely attack vector is inferred to involve a malicious website or email that delivers a download through the client, presenting spoofed metadata at remote or local level. Until the fix is applied, users should verify the authenticity of downloads, especially those from untrusted sources."}}}}, "created": "2025-12-10T17:51:31.378279+00:00", "updated": "2026-04-20T21:45:18.956005+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}