Main Vulnerability Database Vulnerabilities #VU102424

#VU102424 Unintended Proxy or Intermediary in Mozilla Firefox and Firefox ESR - CVE-2025-0237

Published: January 7, 2025

Vulnerability identifier: #VU102424

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-0237

CWE-ID: CWE-441

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla Firefox
Firefox ESR

Software vendor:
Mozilla

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to WebChannel API does not check the sending principal but rather accepted the principal being sent when transporting data across processes. A local user can perform confused deputy attack and escalate privileges on the system.

Remediation

Install updates from vendor's website.

External links

https://bugzilla.mozilla.org/show_bug.cgi?id=1915257
https://www.mozilla.org/security/advisories/mfsa2025-01/
https://www.mozilla.org/security/advisories/mfsa2025-02/

#VU102424 Unintended Proxy or Intermediary in Mozilla Firefox and Firefox ESR - CVE-2025-0237

Description

Remediation

External links

Please verify you're human