Debian Firefox vulnerabilities

CVE-2025-13015 [LOW] CVE-2025-13015: firefox - Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR... Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. Scope: local sid: resolved (fixed in 145.0-1)

CVE-2025-11719 [CRITICAL] CVE-2025-11719: firefox - Starting in Thunderbird 143, the use of the native messaging API by web extensio... Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability affects Firefox < 144 and Thunderbird < 144. Scope: local sid: resolved

CVE-2025-8041 [MEDIUM] CVE-2025-8041: firefox - In the address bar, Firefox for Android truncated the display of URLs from the e... In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability affects Firefox < 141. Scope: local sid: resolved

CVE-2025-8042 [CRITICAL] CVE-2025-8042: firefox - Firefox for Android allowed a sandboxed iframe without the `allow-downloads` att... Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141. Scope: local sid: resolved

CVE-2025-2817 [HIGH] CVE-2025-2817: firefox - Thunderbird's update mechanism allowed a medium-integrity user process to interf... Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege esca

CVE-2025-23108 [MEDIUM] CVE-2025-23108: firefox - Opening Javascript links in a new tab via long-press in the Firefox iOS client c... Opening Javascript links in a new tab via long-press in the Firefox iOS client could result in a malicious script spoofing the URL of the new tab. This vulnerability affects Firefox for iOS < 134. Scope: local sid: resolved

CVE-2024-8389 [CRITICAL] CVE-2024-8389: firefox - Memory safety bugs present in Firefox 129. Some of these bugs showed evidence of... Memory safety bugs present in Firefox 129. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 130. Scope: local sid: resolved (fixed in 130.0-1)

CVE-2024-5699 [CRITICAL] CVE-2024-5699: firefox - In violation of spec, cookie prefixes such as `__Secure` were being ignored if t... In violation of spec, cookie prefixes such as `__Secure` were being ignored if they were not correctly capitalized - by spec they should be checked with a case-insensitive comparison. This could have resulted in the browser not correctly honoring the behaviors specified by the prefix. This vulnerability affects Firefox < 127. Scope: local sid: resolved (fixed in 1

CVE-2024-5701 [CRITICAL] CVE-2024-5701: firefox - Memory safety bugs present in Firefox 126. Some of these bugs showed evidence of... Memory safety bugs present in Firefox 126. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 127. Scope: local sid: resolved (fixed in 127.0-1)

CVE-2024-9402 [CRITICAL] CVE-2024-9402: firefox - Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 12... Memory safety bugs present in Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Thunderbird < 128.3, and Thunderbird < 131. Scope: local sid

CVE-2024-9680 [CRITICAL] CVE-2024-9680: firefox - An attacker was able to achieve code execution in the content process by exploit... An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0. Sco

CVE-2024-6602 [CRITICAL] CVE-2024-6602: firefox - A mismatch between allocator and deallocator could have led to memory corruption... A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. Scope: local sid: resolved (fixed in 128.0-1)

CVE-2024-8384 [CRITICAL] CVE-2024-8384: firefox - The JavaScript garbage collector could mis-color cross-compartment objects if OO... The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2, and Thunderbird < 115.15. Scope: local sid: resolved (fixed in 130.0-1)

CVE-2024-11705 [CRITICAL] CVE-2024-11705: firefox - `NSC_DeriveKey` inadvertently assumed that the `phKey` parameter is always non-N... `NSC_DeriveKey` inadvertently assumed that the `phKey` parameter is always non-NULL. When it was passed as NULL, a segmentation fault (SEGV) occurred, leading to crashes. This behavior conflicted with the PKCS#11 v3.0 specification, which allows `phKey` to be NULL for certain mechanisms. This vulnerability affects Firefox < 133 and Thunderbird < 133. Scope: loca

CVE-2024-2615 [CRITICAL] CVE-2024-2615: firefox - Memory safety bugs present in Firefox 123. Some of these bugs showed evidence of... Memory safety bugs present in Firefox 123. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124. Scope: local sid: resolved (fixed in 124.0-1)

CVE-2024-8381 [CRITICAL] CVE-2024-8381: firefox - A potentially exploitable type confusion could be triggered when looking up a pr... A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the `with` environment. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2, and Thunderbird < 115.15. Scope: local sid: resolved (fixed in 130.0-1)

CVE-2024-11704 [CRITICAL] CVE-2024-11704: firefox - A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` w... A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7. Scope: local sid: resolved (

CVE-2024-9401 [CRITICAL] CVE-2024-9401: firefox - Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2... Memory safety bugs present in Firefox 130, Firefox ESR 115.15, Firefox ESR 128.2, and Thunderbird 128.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.

CVE-2024-8387 [CRITICAL] CVE-2024-8387: firefox - Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 12... Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thunderbird 128.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 130, Firefox ESR < 128.2, and Thunderbird < 128.2. Scope: local sid: resolved (fixed i

CVE-2024-7519 [CRITICAL] CVE-2024-7519: firefox - Insufficient checks when processing graphics shared memory could have led to mem... Insufficient checks when processing graphics shared memory could have led to memory corruption. This could be leveraged by an attacker to perform a sandbox escape. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14. Scope: local sid: resolved (fixed in 129.0-1)