Mozilla Foundation Security Advisory 2025-42

Security Vulnerabilities fixed in Firefox 139

Announced

May 27, 2025

Impact

critical

Products

Firefox

Fixed in

Firefox 139

#MFSA-TMP-2025-0001: Double-free in libvpx encoder

Reporter: Randell Jesup
Impact: critical

Description

A double-free could have occurred in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash.

References

Bug 1962421

#CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content

Reporter: terjanq
Impact: moderate

Description

Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks.

References

Bug 1960745

#CVE-2025-5264: Potential local code execution in “Copy as cURL” command

Reporter: Ameen Basha M K
Impact: moderate

Description

Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.

References

Bug 1950001

#CVE-2025-5265: Potential local code execution in “Copy as cURL” command

Reporter: Ameen Basha M K
Impact: moderate

Description

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.

References

Bug 1962301

#CVE-2025-5266: Script element events leaked cross-origin resource status

Reporter: Jakub Szymsza
Impact: moderate

Description

Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks.

References

Bug 1965628

#CVE-2025-5270: SNI was sometimes unencrypted

Reporter: xiulou
Impact: low

Description

In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled.

References

Bug 1910298

#CVE-2025-5271: Devtools' preview ignored CSP headers

Reporter: Satoki Tsuji
Impact: low

Description

Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks.

References

Bug 1920348

#CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details

Reporter: Ameen Basha M K
Impact: low

Description

A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page.

References

Bug 1954137

#CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11

Reporter: the Mozilla Fuzzing Team, Masayuki Nakano
Impact: moderate

Description

Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11

#CVE-2025-5272: Memory safety bugs fixed in Firefox 139 and Thunderbird 139

Reporter: the Mozilla Fuzzing Team, Andrew Osmond
Impact: moderate

Description

Memory safety bugs present in Firefox 138 and Thunderbird 138. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 139 and Thunderbird 139

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog