Multiple vulnerabilities in Mozilla Firefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 18 |
| CVE-ID | CVE-2025-8032 CVE-2025-8035 CVE-2025-8040 CVE-2025-8034 CVE-2025-8033 CVE-2025-8039 CVE-2025-8038 CVE-2025-8031 CVE-2025-8027 CVE-2025-8030 CVE-2025-8037 CVE-2025-8036 CVE-2025-8029 CVE-2025-8028 CVE-2025-8041 CVE-2025-8042 CVE-2025-8043 CVE-2025-8044 |
| CWE-ID | CWE-693 CWE-119 CWE-476 CWE-450 CWE-200 CWE-126 CWE-94 CWE-682 CWE-451 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones Firefox Focus for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 18 vulnerabilities.
1) Protection Mechanism Failure
EUVDB-ID: #VU113144
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-8032
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect propagation of the source document when loading an XSLT document. A remote attacker can bypass CSP restrictions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 128.0 - 140.0.4
Firefox ESR: 128.0 - 140.0
Firefox for Android: 128.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.3:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1974407
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU113145
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-8035
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 128.0 - 140.0.4
Firefox ESR: 128.0 - 140.0
Firefox for Android: 128.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.3:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU113150
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-8040
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 140.0.4
Firefox ESR: 140.0
Firefox for Android: 130.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU113140
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-8034
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 140.0.4
Firefox ESR: 115.0 - 140.0
Firefox for Android: 120.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-57/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) NULL pointer dereference
EUVDB-ID: #VU113139
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-8033
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in the JavaScript engine when handling closed generators. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 140.0.4
Firefox ESR: 115.0 - 140.0
Firefox for Android: 120.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-57/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1973990
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Multiple Interpretations of UI Input
EUVDB-ID: #VU113149
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-8039
CWE-ID:
CWE-450 - Multiple Interpretations of UI Input
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to in some cases search terms persisted in the URL bar even after navigating away from the search page. A remote attacker can obtain information about previous searches.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 140.0.4
Firefox ESR: 140.0
Firefox for Android: 130.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1970997
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Protection Mechanism Failure
EUVDB-ID: #VU113148
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-8038
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to Firefox ignored paths when checking the validity of navigations in a frame. A remote attacker can bypass CSP frame-src setting.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 140.0.4
Firefox ESR: 140.0
Firefox for Android: 130.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1808979
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Information disclosure
EUVDB-ID: #VU113143
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-8031
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect stripping in CSP reports. The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 128.0 - 140.0.4
Firefox ESR: 128.0 - 140.0
Firefox for Android: 128.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.3:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1971719
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Buffer Over-read
EUVDB-ID: #VU113137
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-8027
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists on 64-bit systems due to IonMonkey-JIT JavaScript engine write only 32 bits of the 64-bit return value space on the stack, however read the entire 64 bits. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 140.0.4
Firefox ESR: 115.0 - 140.0
Firefox for Android: 120.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-57/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1968423
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Code Injection
EUVDB-ID: #VU113142
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-8030
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the “Copy as cURL” feature. A remote attacker can trick the victim into copying a specially crafted URL and execute unexpected code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 128.0 - 140.0.4
Firefox ESR: 128.0 - 140.0
Firefox for Android: 128.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.3:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1968414
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Protection Mechanism Failure
EUVDB-ID: #VU113147
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-8037
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the way Firefox handles nameless cookies with an equals sign in the value. Such a cookie would shadow other cookies, even if the nameless cookie was set over HTTP and the shadowed cookie included the Secure attribute.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 140.0.4
Firefox ESR: 140.0
Firefox for Android: 130.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1964767
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Protection Mechanism Failure
EUVDB-ID: #VU113146
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-8036
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to Firefox caches CORS preflight responses across IP address changes. A remote attacker can circumvent CORS with DNS rebinding.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 130.0 - 140.0.4
Firefox ESR: 140.0
Firefox for Android: 130.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:130.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:131.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1960834
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Code Injection
EUVDB-ID: #VU113141
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-8029
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code passed via URL.
The vulnerability exists due to Firefox executes javascript: URLs when used in object and embed tags. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code via objects or embed tags.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 128.0 - 140.0.4
Firefox ESR: 128.0 - 140.0
Firefox for Android: 128.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:128.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:128.0.3:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1928021
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Incorrect calculation
EUVDB-ID: #VU113138
Risk: High
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-8028
CWE-ID:
CWE-682 - Incorrect Calculation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a WASM br_table instruction with a lot of entries can lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. A remote attacker can execute arbitrary code on the target system.
Note, the vulnerability affects ARM64 systems only.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 140.0.4
Firefox ESR: 115.0 - 140.0
Firefox for Android: 120.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-57/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-58/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-59/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1971581
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Spoofing attack
EUVDB-ID: #VU113151
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-8041
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect truncation of URL. A remote attacker can spoof the address bar.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 140.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.4:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
https://bugzilla.mozilla.org/show_bug.cgi?id=1670725
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Protection Mechanism Failure
EUVDB-ID: #VU113152
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-8042
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the application allows a sandboxed iframe without the allow-downloads attribute to start downloads.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 140.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.4:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Spoofing attack
EUVDB-ID: #VU113153
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-8043
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect truncation of URLs. A remote attacker can perform spoofing attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox Focus for Android: before 141.0
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Buffer overflow
EUVDB-ID: #VU113154
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-8044
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 140.0 - 140.0.4
Firefox for Android: 140.0 - 140.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:140.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:140.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.4:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-56/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
