Full Report
Browser maker Mozilla is urging users to update their Firefox instances to the latest version to avoid facing issues with using add-ons due to the impending expiration of a root certificate. "On March 14, 2025, a root certificate used to verify signed content and add-ons for various Mozilla projects, including Firefox, will expire," Mozilla said. "Without updating to Firefox
Analysis Summary
# Vulnerability: Expiring Mozilla Root Certificate Affecting Firefox Features
## CVE Details
- CVE ID: N/A (Configuration/Maintenance Issue, not a traditional software vulnerability)
- CVSS Score: N/A (This is a operational risk/maintenance issue, not a exploitable CVE.)
- CWE: N/A
## Affected Systems
- Products: Mozilla Firefox (Desktop and Android), Tor Browser (based on Firefox ESR)
- Versions: Firefox versions prior to **128.0**, Firefox ESR versions prior to **115.13**
- Configurations: All affected platforms (Windows, macOS, Linux, Android) are impacted if not updated. iOS and iPad users are unaffected.
## Vulnerability Description
A critical root certificate utilized by Mozilla to verify signed content, including browser add-ons, software updates, and digital rights management (DRM) protected media, is scheduled to expire on **March 14, 2025**. If users are running outdated versions of Firefox or Tor Browser, they will be unable to verify the authenticity and integrity of signed components, leading to functional impairments. This issue is not a traditional exploitable flaw but a risk stemming from an expired trust anchor.
## Exploitation
- Status: Not applicable (Operational risk/Feature breakage). Users will experience service disruption, not typically unauthorized access if the certificate expires.
- Complexity: Low (Passive failure due to inability to verify trust).
- Attack Vector: N/A (Internal system failure post-expiration).
## Impact
- Confidentiality: Potential indirect risk if revocation lists become outdated (Medium).
- Integrity: High (Add-ons, content signing mechanisms, and security alerts will cease functioning or be untrustworthy).
- Availability: High (Add-on functionality will cease; DRM media playback will fail; security features may be interrupted).
## Remediation
### Patches
Users must update to the following versions or newer:
- **Firefox (General):** Version **128.0** or higher.
- **Firefox ESR:** Version **115.13** or higher (critical for users on older OS like Windows 7/8/8.1 and macOS 10.12-10.14).
- **Tor Browser:** Users must update their installations, as it relies on Firefox ESR.
### Workarounds
- Users are highly advised to update to the specified patched versions.
- No specific workaround is detailed, as failure to update renders core security and functionality reliant on the expired certificate non-functional.
## Detection
- **Indicators of compromise:** Add-ons failing to load or display as "Unsigned/Invalid," DRM media playback failing, browser alerts regarding breached passwords not appearing.
- **Detection methods and tools:** Users can check their current version by navigating to Menu \> Settings \> About Firefox. Detection primarily relies on monitoring feature failures related to signing or DRM.
## References
- Vendor Advisory (Mozilla Blog): hxxps://blog.mozilla.org/addons/2025/03/10/root-certificate-will-expire-on-14-march-users-need-to-update-firefox-to-prevent-add-on-breakage/
- Mozilla Support Guidance KB: hxxps://support.mozilla.org/en-US/kb/root-certificate-expiration