CVE-2025-5264 — Command Injection in Mozilla Firefox

CWE-77 — Command Injection CWE-116 — Improper Encoding or Escaping of Output12 documents8 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 66.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Mozilla Firefox

Timeline

PublishedMay 27

Latest updateJul 22

Description

Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 1.3 | Impact: 3.4

Affected Packages2 packages

▶NVDmozilla/firefox116.0 — 128.11.0+2

▶Debianmozilla/thunderbird< 1:128.11.0esr-1~deb11u1+3

🔴Vulnerability Details

GHSA

GHSA-7rph-qq97-wqp5: Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potential↗2025-05-27

▶

CVEList

Potential local code execution in “Copy as cURL” command↗2025-05-27

▶

OSV

CVE-2025-5264: Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potential↗2025-05-27

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2025-07-22

▶

Red Hat

firefox: thunderbird: Potential local code execution in “Copy as cURL” command↗2025-05-27

▶

Debian

CVE-2025-5264: firefox - Due to insufficient escaping of the newline character in the “Copy as cURL” feat...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-45: CVE-2025-5264↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-46: CVE-2025-5264↗

▶