CVE-2025-5264

Summary

Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefox115.24 <= 115.*unaffected
MozillaFirefox128.11 <= 128.*unaffected
MozillaFirefox139 <= *unaffected
MozillaThunderbird128.11 <= 128.*unaffected
MozillaThunderbird139 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References