CVE-2025-11712: Vulnerability in Mozilla Firefox
A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
AI Analysis
Technical Summary
This vulnerability involves the OBJECT HTML tag's type attribute in Mozilla Firefox. When a web resource is served without a content-type header, the type attribute could be used maliciously to override the browser's default handling of that resource. This flaw could contribute to cross-site scripting (XSS) attacks on websites that serve files without a content-type header in an unsafe manner. Mozilla fixed this vulnerability in Firefox 144 and Firefox ESR 140.4 as part of their October 14, 2025 security updates.
Potential Impact
The vulnerability could enable an attacker to perform cross-site scripting (XSS) attacks on websites that serve files without a content-type header, potentially leading to the execution of malicious scripts in the context of the affected site. The CVSS score is 6.1 (medium severity), indicating a moderate impact with potential confidentiality and integrity loss but no direct availability impact. There are no known exploits in the wild at the time of disclosure.
Mitigation Recommendations
Mozilla has released official fixes for this vulnerability in Firefox 144 and Firefox ESR 140.4. Users and administrators should update to these versions or later to remediate the issue. Since this is a client-side browser vulnerability, applying the official browser updates is the primary and recommended mitigation. No additional vendor-recommended mitigations are specified.
CVE-2025-11712: Vulnerability in Mozilla Firefox
Description
A malicious page could have used the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This could have contributed to an XSS on a site that unsafely serves files without a content-type header. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves the OBJECT HTML tag's type attribute in Mozilla Firefox. When a web resource is served without a content-type header, the type attribute could be used maliciously to override the browser's default handling of that resource. This flaw could contribute to cross-site scripting (XSS) attacks on websites that serve files without a content-type header in an unsafe manner. Mozilla fixed this vulnerability in Firefox 144 and Firefox ESR 140.4 as part of their October 14, 2025 security updates.
Potential Impact
The vulnerability could enable an attacker to perform cross-site scripting (XSS) attacks on websites that serve files without a content-type header, potentially leading to the execution of malicious scripts in the context of the affected site. The CVSS score is 6.1 (medium severity), indicating a moderate impact with potential confidentiality and integrity loss but no direct availability impact. There are no known exploits in the wild at the time of disclosure.
Mitigation Recommendations
Mozilla has released official fixes for this vulnerability in Firefox 144 and Firefox ESR 140.4. Users and administrators should update to these versions or later to remediate the issue. Since this is a client-side browser vulnerability, applying the official browser updates is the primary and recommended mitigation. No additional vendor-recommended mitigations are specified.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mozilla
- Date Reserved
- 2025-10-13T19:50:07.919Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 68ee47cf509368ccaa6fc8b3
Added to database: 10/14/2025, 12:53:35 PM
Last enriched: 4/14/2026, 11:35:37 AM
Last updated: 5/8/2026, 11:03:29 PM
Views: 99
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.