CVE-2025-11153 - Vulnerability Details

- JIT miscompilation in the JavaScript Engine: JIT component

Description

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 143.0.3.

Published: 2025-09-30

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A miscompilation in Mozilla Firefox’s JavaScript engine JIT component causes the engine to generate incorrect bytecode. This miscompilation can lead to arbitrary code execution if an attacker supplies specially crafted JavaScript that is executed by the victim’s browser. The weakness is classified as a code injection flaw (CWE‑94) and provides the attacker with the ability to compromise confidentiality, integrity, and availability on vulnerable systems.

Affected Systems

All Mozilla Firefox browsers built prior to version 143.0.3 are susceptible, regardless of operating system. The bug affects the JavaScript engine that runs in user‑process browsers, so any platform that ships the unpatched Firefox executable is impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild at present, and the vulnerability is not listed in CISA KEV. Based on the description, the attacker would need to deliver malicious JavaScript to a user’s browser; the most straightforward attack vector appears to be via a compromised or malicious website or email attachment that triggers the JIT compilation process. The exact conditions required for exploitation are not fully detailed, so the risk is considered moderate due to the high severity combined with the low EPSS probability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`143.0.3`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Mozilla	Firefox	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Firefox to version 143.0.3 or later
If an update cannot be applied immediately, configure the browser to block third‑party scripts by enabling strict site isolation or applying a content security policy that limits execution of JavaScript from untrusted origins
Regularly confirm that your system receives Mozilla security updates and monitor Mozilla’s advisories for further mitigation guidance

Generated by OpenCVE AI on April 20, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-31732	This vulnerability affects Firefox < 143.0.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00035.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1987481
https://nvd.nist.gov/vuln/detail/CVE-2025-11153
https://www.cve.org/CVERecord?id=CVE-2025-11153
https://www.mozilla.org/security/advisories/mfsa2025-80/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 143.0.3.	JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 143.0.3.

Mon, 13 Oct 2025 10:30:00 +0000

Type	Values Removed	Values Added
Description	This vulnerability affects Firefox < 143.0.3.	JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 143.0.3.
Title	firefox: From CVEorg collector	JIT miscompilation in the JavaScript Engine: JIT component

Fri, 03 Oct 2025 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mozilla:firefox::::::::

Thu, 02 Oct 2025 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Vendors & Products		Mozilla Mozilla firefox

Wed, 01 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Oct 2025 00:15:00 +0000

Type	Values Removed	Values Added
Title		firefox: From CVEorg collector
References		https://nvd.nist.gov/vuln/detail/CVE-2025-11153 https://www.cve.org/CVERecord?id=CVE-2025-11153

Tue, 30 Sep 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		This vulnerability affects Firefox < 143.0.3.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1987481 https://www.mozilla.org/security/advisories/mfsa2025-80/

Subscriptions

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-09-30T12:49:06.524Z

Updated: 2026-04-13T14:30:16.322Z

Reserved: 2025-09-29T13:22:49.000Z

Link: CVE-2025-11153

Vulnrichment

Updated: 2025-10-01T13:30:18.809Z

NVD

Status : Modified

Published: 2025-09-30T13:15:48.790

Modified: 2026-04-13T15:16:39.020

Link: CVE-2025-11153

Redhat

Severity :

Publid Date: 2025-09-30T12:49:06Z

Links: CVE-2025-11153 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object