Mozilla Foundation Security Advisory 2025-44

Security Vulnerabilities fixed in Firefox ESR 128.11

Announced

May 27, 2025

Impact

critical

Products

Firefox ESR

Fixed in

Firefox ESR 128.11

#MFSA-TMP-2025-0001: Double-free in libvpx encoder

Reporter: Randell Jesup
Impact: critical

Description

A double-free could have occurred in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash.

References

Bug 1962421

#CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content

Reporter: terjanq
Impact: moderate

Description

Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks.

References

Bug 1960745

#CVE-2025-5264: Potential local code execution in “Copy as cURL” command

Reporter: Ameen Basha M K
Impact: moderate

Description

Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.

References

Bug 1950001

#CVE-2025-5265: Potential local code execution in “Copy as cURL” command

Reporter: Ameen Basha M K
Impact: moderate

Description

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.

References

Bug 1962301

#CVE-2025-5266: Script element events leaked cross-origin resource status

Reporter: Jakub Szymsza
Impact: moderate

Description

Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks.

References

Bug 1965628

#CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details

Reporter: Ameen Basha M K
Impact: low

Description

A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page.

References

Bug 1954137

#CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11

Reporter: the Mozilla Fuzzing Team, Masayuki Nakano
Impact: moderate

Description

Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11

#CVE-2025-5269: Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11

Reporter: Randell Jesup
Impact: moderate

Description

Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.

References

Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog