CVE-2025-11713 — Improper Encoding or Escaping of Output in Mozilla Firefox

CWE-116 — Improper Encoding or Escaping of Output CWE-88 — Argument Injection11 documents8 sources

Severity

8.1HIGHNVD

EPSS

0.0%

top 88.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedOct 14

Latest updateFeb 2

Description

Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶NVDmozilla/firefox< 140.4.0+1

▶NVDmozilla/thunderbird141.0 — 144.0+1

▶Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1

🔴Vulnerability Details

GHSA

GHSA-pwc5-5wfj-q75c: Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows↗2025-10-14

▶

CVEList

Potential user-assisted code execution in “Copy as cURL” command↗2025-10-14

▶

OSV

CVE-2025-11713: Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows↗2025-10-14

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Red Hat

thunderbird: firefox: Potential user-assisted code execution in “Copy as cURL” command↗2025-10-14

▶

Debian

CVE-2025-11713: firefox - Insufficient escaping in the “Copy as cURL” feature could have been used to tric...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-84: CVE-2025-11713↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-81: CVE-2025-11713↗

▶