CVE-2025-11940 identifies a security vulnerability in the LibreWolf browser's Windows installer component, specifically within the assets/setup.nsi script used during installation. The vulnerability arises from an uncontrolled search path, meaning the installer may load files or dependencies from unintended or attacker-controlled locations. This can lead to the execution of malicious code with the privileges of the installer process. The attack requires local access with limited privileges and does not require user interaction, but the complexity of the attack is high, making exploitation difficult. The vulnerability impacts LibreWolf versions up to 143.0.4-1 on Windows platforms. The issue is resolved in version 144.0-1 by applying a patch identified by commit dd10e31dd873e9cb309fad8aed921d45bf905a55. The CVSS 4.0 vector (AV:L/AC:H/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X) indicates local attack vector, high attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild, but the vulnerability poses a significant risk if leveraged by a local attacker to compromise system security during installation or update processes.

For European organizations, this vulnerability could allow a local attacker to execute arbitrary code during the installation or update of LibreWolf on Windows systems, potentially leading to unauthorized access, data compromise, or system integrity violations. This is particularly concerning for organizations that rely on LibreWolf for secure browsing or have strict security policies requiring trusted software installation. The ability to manipulate the installer’s search path could facilitate privilege escalation or persistence mechanisms. Although exploitation is complex and requires local access, insider threats or attackers who gain initial footholds could leverage this vulnerability to deepen their control. The impact extends to confidentiality, integrity, and availability of affected systems, potentially disrupting business operations or exposing sensitive data.

European organizations should immediately upgrade all affected LibreWolf installations on Windows to version 144.0-1 or later, which contains the patch addressing this vulnerability. Additionally, organizations should enforce strict local access controls and monitor for unauthorized local activity, especially on systems where LibreWolf is installed. Implement application whitelisting to prevent execution of unauthorized installers or scripts. Regularly audit and restrict user privileges to minimize the risk of local exploitation. Employ endpoint detection and response (EDR) solutions to detect suspicious installer behavior or attempts to manipulate file paths. Finally, educate users and administrators about the risks of local attacks and the importance of applying security updates promptly.