CVE Alert: CVE-2025-11940 - n/a - LibreWolf

CVE-2025-11940

HIGHNo exploitation known

A security vulnerability has been detected in LibreWolf up to 143.0.4-1 on Windows. This affects an unknown function of the file assets/setup.nsi of the component Installer. Such manipulation leads to uncontrolled search path. The attack must be carried out locally. Attacks of this nature are highly complex. The exploitability is reported as difficult. Upgrading to version 144.0-1 mitigates this issue. The name of the patch is dd10e31dd873e9cb309fad8aed921d45bf905a55. It is suggested to upgrade the affected component.

CVSS v3.1 (7)

Vendor

n/a

Product

LibreWolf

Versions

143.0.4-1 | 144.0-1

CWE

CWE-427, Uncontrolled Search Path

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C

Published

2025-10-19T08:32:06.681Z

Updated

2025-10-19T08:32:06.681Z

References

https://vuldb.com/?id.329019

https://vuldb.com/?ctiid.329019

https://vuldb.com/?submit.671575

https://github.com/Cyber-Wo0dy/report/blob/main/librewolf/143.0.4-1/librewolf_installer_exe_hijacking.md

https://codeberg.org/librewolf/bsys6/commit/dd10e31dd873e9cb309fad8aed921d45bf905a55

https://codeberg.org/librewolf/bsys6/releases/tag/144.0-1

AI Summary Analysis

Risk verdict

High severity, local attacker could exploit an uncontrolled search path in the Windows LibreWolf installer; patch promptly.

Why this matters

The flaw allows an attacker with local access to influence loaded components during installation, risking full code execution with high impact on confidentiality, integrity and availability. Exploitation does not require user interaction, so any locally authenticated attacker could trigger an install-time compromise if the environment allows modification of installer assets.

Most likely attack path

An attacker with local access supplies or manipulats assets/setup.nsi, creating or directing the installer to load a malicious library from an untrusted path. The local attack vector combined with high impact (C/H I/H A/H) and low privileges required suggests a feasible privilege escalation during installation, absent user prompts.

Who is most exposed

Windows endpoints where LibreWolf installers are run, especially organisations deploying or updating via the affected 143.0.4-1 package or testing/build environments that may still use it; end users executing the installer are also at risk if controls are lax.

Detection ideas

Look for unexpected DLLs loaded by the installer process.
Monitor integrity of assets/setup.nsi and related installer components.
Detect tampering or unexpected modifications to the installer directory (timestamp changes, new files).
Identify unsigned or anomalous binaries in the installer path.
Alert on installation attempts that bypass expected digital signatures or source validation.

Mitigation and prioritisation

Apply the patch to 144.0-1 (patch dd10e31dd873e9cb309fad8aed921d45bf905a55) and verify deployment.
Enforce trusted sources and signed installers; restrict modifications to installer assets.
Use least-privilege execution for installers; enable UAC prompts and application whitelisting.
Implement file integrity monitoring around installer components and related directories.
Update software inventories and rollout plans; re-scan endpoints after patching.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-11940, librewolf, n-a, OSINT, threatintel