Multiple vulnerabilities in Mozilla Firefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2025-5262 CVE-2025-5263 CVE-2025-5264 CVE-2025-5265 CVE-2025-5272 CVE-2025-5266 CVE-2025-5270 CVE-2025-5271 CVE-2025-5269 CVE-2025-5268 CVE-2025-5267 |
| CWE-ID | CWE-415 CWE-388 CWE-20 CWE-119 CWE-200 CWE-319 CWE-693 CWE-357 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Double free
EUVDB-ID: #VU109855
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-5262
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the vpx_codec_enc_init_multi() function in libvpx encoder for WebRTC. A remote attacker can trick the victim into visiting a specially crafted website, trigger a double free error and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 138.0.4
Firefox ESR: 102.0 - 128.10.1
Firefox for Android: 100.1.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/
https://bugzilla.mozilla.org/show_bug.cgi?id=1962421
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper error handling
EUVDB-ID: #VU109857
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-5263
CWE-ID:
CWE-388 - Error Handling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to error handling for script execution is not correctly isolated from the web content. A remote attacker can trick the victim into opening a specially crafted website and obtain certain information cross-origin.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 138.0.4
Firefox ESR: 102.0 - 128.10.1
Firefox for Android: 100.1.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/
https://bugzilla.mozilla.org/show_bug.cgi?id=1960745
https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU109858
Risk: Medium
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-5264
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the "Copy as cURL" feature. A remote attacker can trick the victim into copying a specially crafted URL, trick the victim into using this command and execute arbitrary commands on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 138.0.4
Firefox ESR: 102.0 - 128.10.1
Firefox for Android: 100.1.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/
https://bugzilla.mozilla.org/show_bug.cgi?id=1950001
https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU109859
Risk: Medium
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-5265
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the "Copy as cURL" feature. A remote attacker can trick the victim into copying a specially crafted URL, trick the victim into using this command and execute arbitrary commands on the system.
The vulnerability affects Windows installations only.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 138.0.4
Firefox ESR: 102.0 - 128.10.1
Firefox for Android: 100.1.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/
https://bugzilla.mozilla.org/show_bug.cgi?id=1962301
https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU109881
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-5272
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 138.0.4
Firefox for Android: 130.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/security/advisories/mfsa2025-42/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1726254
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1742738
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1960121
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU109875
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-5266
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to script elements loading cross-origin resources generated load and error
events, which leaked information. A remote attacker can gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 138.0.4
Firefox ESR: 128.0 - 128.10.1
Firefox for Android: 120.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
https://bugzilla.mozilla.org/show_bug.cgi?id=1965628
https://www.mozilla.org/security/advisories/mfsa2025-42/
https://www.mozilla.org/security/advisories/mfsa2025-44/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cleartext transmission of sensitive information
EUVDB-ID: #VU109879
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-5270
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software does not always encrypt SNI even when encrypted DNS was enabled. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 138.0.4
Firefox for Android: 130.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://bugzilla.mozilla.org/show_bug.cgi?id=1910298
https://www.mozilla.org/security/advisories/mfsa2025-42/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Protection Mechanism Failure
EUVDB-ID: #VU109880
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-5271
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to Devtools ignores CSP headers when previewing content. A remote attacker can perform content injection attacks.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 138.0.4
Firefox for Android: 130.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://bugzilla.mozilla.org/show_bug.cgi?id=1920348
https://www.mozilla.org/security/advisories/mfsa2025-42/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer overflow
EUVDB-ID: #VU109878
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-5269
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 128.0 - 128.10.1
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.6.0:*:*:*:*:*:*:*
https://bugzilla.mozilla.org/show_bug.cgi?id=1924108
https://www.mozilla.org/security/advisories/mfsa2025-44/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer overflow
EUVDB-ID: #VU109877
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-5268
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 138.0.4
Firefox ESR: 128.0 - 128.10.1
Firefox for Android: 120.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
https://www.mozilla.org/security/advisories/mfsa2025-42/
https://www.mozilla.org/security/advisories/mfsa2025-44/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1950136
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1958121
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1960499
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1962634
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU109876
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-5267
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform clickjacking attacks.
The vulnerability exists due to an error in the UI that can lead to information disclosure. A remote attacker can perform a clickjacking attack and trick a user into leaking saved payment card details to a malicious page.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 138.0.4
Firefox ESR: 128.0 - 128.10.1
Firefox for Android: 120.0 - 138.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
https://bugzilla.mozilla.org/show_bug.cgi?id=1954137
https://www.mozilla.org/security/advisories/mfsa2025-42/
https://www.mozilla.org/security/advisories/mfsa2025-44/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
