Multiple vulnerabilities in Mozilla Firefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2025-4092 CVE-2025-4090 CVE-2025-4089 CVE-2025-4088 CVE-2025-4086 CVE-2025-4085 CVE-2025-4093 CVE-2025-4091 CVE-2025-4087 CVE-2025-4084 CVE-2025-4083 CVE-2025-4082 CVE-2025-2817 |
| CWE-ID | CWE-119 CWE-200 CWE-20 CWE-352 CWE-125 CWE-693 CWE-667 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU108056
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-4092
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 137.0.2
Firefox for Android: 130.0 - 137.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1924108%2C1950780%2C1959367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU108055
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-4090
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can force the application to log sensitive library locations via Logcat.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 130.0 - 137.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/show_bug.cgi?id=1929478
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU108054
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-4089
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient escaping of special characters in the "copy as cURL" feature. A remote attacker can trick the victim into copying a specially crafted URL and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 137.0.2
Firefox for Android: 130.0 - 137.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1949994%2C1956698%2C1960198
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site request forgery
EUVDB-ID: #VU108053
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-4088
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A malicious website can use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 137.0.2
Firefox for Android: 130.0 - 137.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/show_bug.cgi?id=1953521
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU108052
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-4086
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a spoofing attack.
The vulnerability exists due to insufficient validation of file names. A remote attacker can trick the victim into downloading a specially crafted file containing a large number of encoded newline characters in its name and obscure the file's extension when displayed in the download dialog.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 130.0 - 137.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/show_bug.cgi?id=1945705
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU108051
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-4085
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the UITour actor. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 137.0.2
Firefox for Android: 130.0 - 137.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/show_bug.cgi?id=1915280
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Buffer overflow
EUVDB-ID: #VU108050
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-4093
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 128.0 - 128.9.0
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.6.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/
https://bugzilla.mozilla.org/show_bug.cgi?id=1894100
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Buffer overflow
EUVDB-ID: #VU108049
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-4091
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 137.0.2
Firefox ESR: 128.0 - 128.9.0
Firefox for Android: 120.0 - 137.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1951161%2C1952105
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds read
EUVDB-ID: #VU108048
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-4087
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a boundary condition when parsing XPath content. A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds read error and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 137.0.2
Firefox ESR: 128.0 - 128.9.0
Firefox for Android: 120.0 - 137.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/show_bug.cgi?id=1952465
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU108047
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-4084
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient insufficient escaping of the ampersand character in the "copy as cURL" feature. A remote attacker can trick the victim into copying a specially crafted URL and execute arbitrary commands on the system.
Note, the vulnerability affects Windows installations only.
Install updates from vendor's website.
Vulnerable software versionsFirefox ESR: 115.0.1 - 128.9.0
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:115.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.5.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1949994%2C1960198
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Protection Mechanism Failure
EUVDB-ID: #VU108046
Risk: High
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-4083
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient process isolation when handling "javascript:" URI links. An attacker can trick the victim into clicking on a specially crafted link and execute content in the top-level document's process instead of the intended frame.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 100.1.0 - 137.0.2
Mozilla Firefox: 100.0 - 137.0.2
Firefox ESR: 102.0 - 128.9.0
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.2.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/show_bug.cgi?id=1958350
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU108045
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-4082
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing WebGL shader attributes. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability affects macOS installations only.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 137.0.2
Firefox ESR: 102.0 - 128.9.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.5.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://bugzilla.mozilla.org/show_bug.cgi?id=1937097
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Improper locking
EUVDB-ID: #VU108044
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-2817
CWE-ID:
CWE-667 - Improper Locking
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper locking mechanism in Firefox Updater. A medium-integrity user process can interfere with the SYSTEM-level updater by manipulating the file-locking behavior by injecting code into the user-privileged process. A local user or malicious software installed on the system can bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 137.0.2
Firefox ESR: 102.0 - 128.9.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.8.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/
https://bugzilla.mozilla.org/show_bug.cgi?id=1917536
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
