SB2025072881 - SUSE update for MozillaFirefox 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025072881

SB2025072881 - SUSE update for MozillaFirefox

Published: July 28, 2025

Security Bulletin ID SB2025072881
Severity
High
Patch available
YES
Number of vulnerabilities 14
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 36% Medium 36% Low 29%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 14 secuirty vulnerabilities.


1) Buffer Over-read (CVE-ID: CVE-2025-8027)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists on 64-bit systems due to IonMonkey-JIT JavaScript engine write only 32 bits of the 64-bit return value space on the stack, however read the entire 64 bits. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.


2) Incorrect calculation (CVE-ID: CVE-2025-8028)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a WASM br_table instruction with a lot of entries can lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. A remote attacker can execute arbitrary code on the target system.

Note, the vulnerability affects ARM64 systems only. 


3) Code Injection (CVE-ID: CVE-2025-8029)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code passed via URL.

The vulnerability exists due to Firefox executes javascript: URLs when used in object and embed tags. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code via objects or embed tags.


4) Code Injection (CVE-ID: CVE-2025-8030)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation in the “Copy as cURL” feature. A remote attacker can trick the victim into copying a specially crafted URL and execute unexpected code on the system.


5) Information disclosure (CVE-ID: CVE-2025-8031)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrect stripping in CSP reports. The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.


6) Protection Mechanism Failure (CVE-ID: CVE-2025-8032)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect propagation of the source document when loading an XSLT document. A remote attacker can bypass CSP restrictions. 


7) NULL pointer dereference (CVE-ID: CVE-2025-8033)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the JavaScript engine when handling closed generators. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser. 


8) Buffer overflow (CVE-ID: CVE-2025-8034)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


9) Buffer overflow (CVE-ID: CVE-2025-8035)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


10) Protection Mechanism Failure (CVE-ID: CVE-2025-8036)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to Firefox caches CORS preflight responses across IP address changes. A remote attacker can circumvent CORS with DNS rebinding.


11) Protection Mechanism Failure (CVE-ID: CVE-2025-8037)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the way Firefox handles nameless cookies with an equals sign in the value. Such a cookie would shadow other cookies, even if the nameless cookie was set over HTTP and the shadowed cookie included the Secure attribute.


12) Protection Mechanism Failure (CVE-ID: CVE-2025-8038)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to Firefox ignored paths when checking the validity of navigations in a frame. A remote attacker can bypass CSP frame-src setting. 


13) Multiple Interpretations of UI Input (CVE-ID: CVE-2025-8039)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to in some cases search terms persisted in the URL bar even after navigating away from the search page. A remote attacker can obtain information about previous searches. 




14) Buffer overflow (CVE-ID: CVE-2025-8040)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References