Mozilla Foundation Security Advisory 2025-30
Security Vulnerabilities fixed in Firefox ESR 115.23
- Announced
- April 29, 2025
- Impact
- high
- Products
- Firefox ESR
- Fixed in
-
- Firefox ESR 115.23
#CVE-2025-2817: Privilege escalation in Firefox Updater
- Reporter
- Dong-uk Kim (@justlikebono)
- Impact
- high
Description
Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.
References
#CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS
- Reporter
- un3xploitable & GF
- Impact
- high
Description
Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.
This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.
References
#CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames
- Reporter
- Nika Layzell
- Impact
- high
Description
A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape.
References
#CVE-2025-4084: Potential local code execution in "copy as cURL" command
- Reporter
- Ameen Basha M K
- Impact
- moderate
Description
Due to insufficient escaping of the ampersand character in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.