CVE-2025-11940

Oct. 19, 2025, 9:15 a.m.

7.3
High

Description

A security vulnerability has been detected in LibreWolf up to 143.0.4-1 on Windows. This affects an unknown function of the file assets/setup.nsi of the component Installer. Such manipulation leads to uncontrolled search path. The attack must be carried out locally. Attacks of this nature are highly complex. The exploitability is reported as difficult. Upgrading to version 144.0-1 mitigates this issue. The name of the patch is dd10e31dd873e9cb309fad8aed921d45bf905a55. It is suggested to upgrade the affected component.

Product(s) Impacted

Vendor Product Versions
Librewolf
  • Librewolf
  • <143.0.4-1, <144.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-426
Untrusted Search Path
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a librewolf librewolf <143.0.4-1 / / / / / / /
a librewolf librewolf <144.0 / / / / / / /

References

https://codeberg.org/librewolf/bsys6/commit/dd10e31dd873e9cb309fad8aed921d45bf905a55
https://codeberg.org/librewolf/bsys6/releases/tag/144.0-1
https://github.com/Cyber-Wo0dy/report/blob/main/librewolf/143.0.4-1/librewolf_installer_exe_hijacking.md
https://vuldb.com/?ctiid.329019
https://vuldb.com/?id.329019
https://vuldb.com/?submit.671575

Tags

cna@vuldb.com
CWE-426
2025-10-19
CVE-2025-11940

CVSS Score

7.3 / 10

CVSS Data - 4.0

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Attack Requirements: NONE
  • Privileges Required: LOW
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Oct. 19, 2025, 9:15 a.m.
Last Modified: Oct. 19, 2025, 9:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@vuldb.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.