CVE-2025-5265 — Command Injection in Mozilla Firefox

CWE-77 — Command Injection CWE-116 — Improper Encoding or Escaping of Output12 documents8 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 81.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedMay 27

Latest updateJul 22

Description

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 1.3 | Impact: 3.4

Affected Packages2 packages

▶NVDmozilla/firefox116.0 — 128.11.0+2

▶Ubuntumozilla/thunderbird< 1:128.12.0+build1-0ubuntu0.22.04.1

🔴Vulnerability Details

CVEList

Potential local code execution in “Copy as cURL” command↗2025-05-27

▶

GHSA

GHSA-fjj5-r59g-88g7: Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potenti↗2025-05-27

▶

OSV

CVE-2025-5265: Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potenti↗2025-05-27

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2025-07-22

▶

Red Hat

firefox: thunderbird: Potential local code execution in “Copy as cURL” command↗2025-05-27

▶

Debian

CVE-2025-5265: firefox - Due to insufficient escaping of the ampersand character in the “Copy as cURL” fe...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-45: CVE-2025-5265↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-46: CVE-2025-5265↗

▶