CVE-2025-4084Improper Encoding or Escaping of Output in Mozilla Firefox

CWE-116Improper Encoding or Escaping of OutputCWE-138Improper Neutralization of Special Elements9 documents7 sources
Severity
5.7MEDIUMNVD
EPSS
0.3%
top 48.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxMozilla Thunderbird
Timeline
PublishedApr 29

Description

Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages2 packages

NVDmozilla/firefox128.0128.10+1
NVDmozilla/thunderbird< 128.10.0

🔴Vulnerability Details

3
OSV
CVE-2025-4084: Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentia2025-04-29
GHSA
GHSA-gx9w-3cv3-7x4r: Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentia2025-04-29
CVEList
Potential local code execution in "copy as cURL" command2025-04-29

📋Vendor Advisories

5
Red Hat
firefox: thunderbird: Potential local code execution in "copy as cURL" command2025-04-29
Debian
CVE-2025-4084: firefox-esr - Due to insufficient escaping of the special characters in the "copy as cURL" fea...2025
Mozilla
Mozilla Foundation Security Advisory 2025-32: CVE-2025-4084
Mozilla
Mozilla Foundation Security Advisory 2025-29: CVE-2025-4084
Mozilla
Mozilla Foundation Security Advisory 2025-30: CVE-2025-4084
CVE-2025-4084 — Improper Encoding or Escaping of Output | cvebase