Multiple vulnerabilities in Mozilla Firefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2025-11713 CVE-2025-11715 CVE-2025-11714 CVE-2025-11718 CVE-2025-11708 CVE-2025-11712 CVE-2025-11717 CVE-2025-11716 CVE-2025-11711 CVE-2025-11710 CVE-2025-11709 CVE-2025-11720 CVE-2025-11721 CVE-2025-11719 |
| CWE-ID | CWE-94 CWE-119 CWE-451 CWE-416 CWE-693 CWE-1021 CWE-254 CWE-264 CWE-200 CWE-787 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones Firefox Focus for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Code Injection
EUVDB-ID: #VU116997
Risk:
CVSSv4.0: 0 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U]
CVE-ID: CVE-2025-11713
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the “Copy as cURL” feature. A remote attacker can send trick the victim into copying a specially crafted URL and execute arbitrary code on the system.
Note, the vulnerability affects Windows installations only.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 143.0.4
Firefox ESR: 128.0 - 140.3.1
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.3.1:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1986142
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU116998
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-11715
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 143.0.4
Firefox ESR: 128.0 - 140.3.1
Firefox for Android: 120.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1983838
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1987624
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1988244
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1988912
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1989734
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1990085
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1991899
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU116994
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-11714
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 102.0 - 140.3.1
Mozilla Firefox: 100.0 - 143.0.4
Firefox for Android: 100.1.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1973699
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1989945
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1990970
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1991040
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1992113
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Spoofing attack
EUVDB-ID: #VU117001
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-11718
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can spoof the browser's address bar.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 140.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.4:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1980808
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU116995
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-11708
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in MediaTrackGraphImpl::GetInstance(). A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 143.0.4
Firefox ESR: 128.0 - 140.3.1
Firefox for Android: 120.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1988931
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Protection mechanism failure
EUVDB-ID: #VU116996
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-11712
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. A malicious page can use the type attribute of an OBJECT tag to override the default browser behavior when encountering a web resource served without a content-type. This can lead to an XSS on a site that unsafely serves files without a content-type header.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 143.0.4
Firefox ESR: 128.0 - 140.3.1
Firefox for Android: 120.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1979536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper Restriction of Rendered UI Layers or Frames
EUVDB-ID: #VU117000
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-11717
CWE-ID:
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Exploit availability: No
DescriptionThe vulnerability allows an attacker to gain access to sensitive information.
The vulnerability exists due to the way Firefox handles password-related screens. When switching between Android apps using the card carousel, Firefox the password edit screen with password in clear text.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 140.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.4:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1872601
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Security features bypass
EUVDB-ID: #VU116999
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-11716
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect handling of sendboxed iframes. A remote attacker can trick the victim into clicking on a specially crafted link and open an external app on Android without the required "allow-" permission.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 140.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.4:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1818679
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU116993
Risk: High
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-11711
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to application does not properly impose security restrictions, which allows an malicious web application to modify JavaScript Object properties that were supposed to be non-writable. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 102.0 - 140.3.1
Mozilla Firefox: 100.0 - 143.0.4
Firefox for Android: 100.1.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1989978
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Information disclosure
EUVDB-ID: #VU116992
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-11710
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A compromised web process using malicious IPC messages can cause the privileged browser process to reveal blocks of its memory to the compromised process.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 102.0 - 140.3.1
Mozilla Firefox: 100.0 - 143.0.4
Firefox for Android: 100.1.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1989899
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Out-of-bounds write
EUVDB-ID: #VU116991
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-11709
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing WebGL textures. A remote attacker can create a specially crafted website, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 102.0 - 140.3.1
Mozilla Firefox: 100.0 - 143.0.4
Firefox for Android: 100.1.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.28.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1989127
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Spoofing attack
EUVDB-ID: #VU117002
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-11720
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. The Firefox and Firefox Focus UI for the Android custom tab feature only showes the "site" that was loaded, not the full hostname, leading to a spoofing attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 140.0 - 143.0.4
Firefox Focus for Android: before 144.0
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:140.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:140.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_focus_for_android:*:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1979534
https://bugzilla.mozilla.org/show_bug.cgi?id=1984370
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Buffer overflow
EUVDB-ID: #VU117003
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-11721
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 143.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:143.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:143.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:143.0.3:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1986816
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Use-after-free
EUVDB-ID: #VU117004
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-11719
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due to a use-after-free error in native messaging API. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser.
Note, the vulnerability affects Windows installations only.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 143.0 - 143.0.4
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:143.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:143.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:143.0.3:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
https://bugzilla.mozilla.org/show_bug.cgi?id=1991950
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
