Mozilla Foundation Security Advisory 2025-73

Security Vulnerabilities fixed in Firefox 143

Announced
September 16, 2025
Impact
high
Products
Firefox
Fixed in
  • Firefox 143

#CVE-2025-10527: Sandbox escape due to use-after-free in the Graphics: Canvas2D component

Reporter
Oskar L
Impact
high
References

#CVE-2025-10528: Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component

Reporter
Oskar L
Impact
high
References

#CVE-2025-10529: Same-origin policy bypass in the Layout component

Reporter
Daniel Holbert
Impact
moderate
References

#CVE-2025-10530: Spoofing issue in the WebAuthn component in Firefox for Android

Reporter
Hafiizh & Kang Ali
Impact
moderate
References

#CVE-2025-10531: Mitigation bypass in the Web Compatibility: Tooling component

Reporter
Nikolaos Mourousias
Impact
moderate
References

#CVE-2025-10532: Incorrect boundary conditions in the JavaScript: GC component

Reporter
Gary Kwong
Impact
moderate
References

#CVE-2025-10533: Integer overflow in the SVG component

Reporter
Andrew Creskey
Impact
moderate
References

#CVE-2025-10534: Spoofing issue in the Site Permissions component

Reporter
Emma Zühlcke
Impact
low
References

#CVE-2025-10535: Information disclosure, mitigation bypass in the Privacy component in Firefox for Android

Reporter
Rebeca Tudor
Impact
low
References

#CVE-2025-10536: Information disclosure in the Networking: Cache component

Reporter
Ibuki Sato
Impact
low
References

#CVE-2025-10537: Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143

Reporter
Andrew McCreight and the Mozilla Fuzzing Team
Impact
high
Description

Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References