Mozilla Foundation Security Advisory 2025-43

Security Vulnerabilities fixed in Firefox ESR 115.24

Announced

May 27, 2025

Impact

critical

Products

Firefox ESR

Fixed in

Firefox ESR 115.24

#MFSA-TMP-2025-0001: Double-free in libvpx encoder

Reporter: Randell Jesup
Impact: critical

Description

A double-free could have occurred in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash.

References

Bug 1962421

#CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content

Reporter: terjanq
Impact: moderate

Description

Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks.

References

Bug 1960745

#CVE-2025-5264: Potential local code execution in “Copy as cURL” command

Reporter: Ameen Basha M K
Impact: moderate

Description

Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.

References

Bug 1950001

#CVE-2025-5265: Potential local code execution in “Copy as cURL” command

Reporter: Ameen Basha M K
Impact: moderate

Description

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.

References

Bug 1962301

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog