Main Vulnerability Database Vulnerabilities #VU102424

Unintended Proxy or Intermediary in Mozilla Firefox and Firefox ESR - CVE-2025-0237

Published: January 7, 2025

Vulnerability identifier: #VU102424

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-0237

CWE-ID: CWE-441

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Mozilla

Affected software:
Mozilla Firefox
Firefox ESR

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to WebChannel API does not check the sending principal but rather accepted the principal being sent when transporting data across processes. A local user can perform confused deputy attack and escalate privileges on the system.

How to mitigate CVE-2025-0237

Install updates from vendor's website.

Sources

https://bugzilla.mozilla.org/show_bug.cgi?id=1915257
https://www.mozilla.org/security/advisories/mfsa2025-01/
https://www.mozilla.org/security/advisories/mfsa2025-02/

Unintended Proxy or Intermediary in Mozilla Firefox and Firefox ESR - CVE-2025-0237

Detailed vulnerability description

How to mitigate CVE-2025-0237

Sources

Please verify you're human