Multiple vulnerabilities in Mozilla Firefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 16 |
| CVE-ID | CVE-2025-13018 CVE-2025-13015 CVE-2025-13014 CVE-2025-13020 CVE-2025-13013 CVE-2025-13019 CVE-2025-13017 CVE-2025-13016 CVE-2025-13012 CVE-2025-13021 CVE-2025-13022 CVE-2025-13023 CVE-2025-13024 CVE-2025-13025 CVE-2025-13026 CVE-2025-13027 |
| CWE-ID | CWE-693 CWE-451 CWE-416 CWE-119 CWE-362 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 16 vulnerabilities.
1) Protection Mechanism Failure
EUVDB-ID: #VU118261
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-13018
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in the DOM: Security component. An attacker can bypass implemented security restrictions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 144.0.2
Firefox for Android: 120.0 - 144.0.2
Firefox ESR: 128.0 - 140.4.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.4.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1984940
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Spoofing attack
EUVDB-ID: #VU118258
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-13015
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A remote attacker can perform spoofing attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 14.0.1 - 144.0.2
Firefox for Android: 100.1.0 - 144.0.2
Firefox ESR: 115.0 - 140.4.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:14.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.29.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.4.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1994164
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free
EUVDB-ID: #VU118257
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-13014
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due to a use-after-free error in the Audio/Video component. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 14.0.1 - 144.0.2
Firefox for Android: 100.1.0 - 144.0.2
Firefox ESR: 115.0 - 140.4.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:14.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.29.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.4.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1994241
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free
EUVDB-ID: #VU118263
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-13020
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the browser.
The vulnerability exists due to a use-after-free error in the WebRTC: Audio/Video component. A remote attacker can trick the victim into visiting a specially crafted website and crash the browser.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 144.0.2
Firefox for Android: 120.0 - 144.0.2
Firefox ESR: 128.0 - 140.4.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.4.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1994241
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Protection Mechanism Failure
EUVDB-ID: #VU118256
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-13013
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in the DOM: Core & HTML component. An attacker can bypass implemented security restrictions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 14.0.1 - 144.0.2
Firefox for Android: 100.1.0 - 144.0.2
Firefox ESR: 115.0 - 140.4.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:14.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.29.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.4.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1991945
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Protection Mechanism Failure
EUVDB-ID: #VU118262
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-13019
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in the DOM: Workers component. An attacker can bypass implemented security restrictions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 144.0.2
Firefox for Android: 120.0 - 144.0.2
Firefox ESR: 128.0 - 140.4.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.4.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1984940
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Protection Mechanism Failure
EUVDB-ID: #VU118260
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-13017
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in the DOM: Notifications component. An attacker can bypass implemented security restrictions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 144.0.2
Firefox for Android: 120.0 - 144.0.2
Firefox ESR: 128.0 - 140.4.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.4.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1980904
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Buffer overflow
EUVDB-ID: #VU118259
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-13016
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the JavaScript: WebAssembly component. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 120.0 - 144.0.2
Firefox for Android: 120.0 - 144.0.2
Firefox ESR: 128.0 - 140.4.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:121.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:120.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.4.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1992130
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Race condition
EUVDB-ID: #VU118255
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-13012
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a race condition in the Graphics component. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 14.0.1 - 144.0.2
Firefox for Android: 100.1.0 - 144.0.2
Firefox ESR: 115.0 - 140.4.0
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:14.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:100.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:100.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:115.29.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:128.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:140.4.0:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-89/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-88/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1991458
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer overflow
EUVDB-ID: #VU118264
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-13021
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the Graphics: WebGPU component. A remote attacker can trick the victim into opening a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 141.0 - 144.0.2
Firefox for Android: 141.0 - 144.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1986431
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU118265
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-13022
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the Graphics: WebGPU component. A remote attacker can trick the victim into opening a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 141.0 - 144.0.2
Firefox for Android: 141.0 - 144.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1988488
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU118266
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-13023
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the Graphics: WebGPU component. A remote attacker can trick the victim into opening a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 141.0 - 144.0.2
Firefox for Android: 141.0 - 144.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1992032
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Buffer overflow
EUVDB-ID: #VU118267
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-13024
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the JavaScript Engine: JIT component. A remote attacker can trick the victim into opening a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 141.0 - 144.0.2
Firefox for Android: 141.0 - 144.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1992902
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Buffer overflow
EUVDB-ID: #VU118268
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-13025
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the Graphics: WebGPU . A remote attacker can trick the victim into opening a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 141.0 - 144.0.2
Firefox for Android: 141.0 - 144.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1994022
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Buffer overflow
EUVDB-ID: #VU118269
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-13026
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the Graphics: WebGPU component. A remote attacker can trick the victim into opening a specially crafted website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 141.0 - 144.0.2
Firefox for Android: 141.0 - 144.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/show_bug.cgi?id=1994441
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Buffer overflow
EUVDB-ID: #VU118270
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-13027
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 141.0 - 144.0.2
Firefox for Android: 141.0 - 144.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_firefox:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:141.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:141.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1987237
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1990079
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1991715
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1994994
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
