Debian Firefox vulnerabilities
1,550 known vulnerabilities affecting debian/firefox.
Total CVEs
1,550
CISA KEV
11
actively exploited
Public exploits
39
Exploited in wild
20
Severity breakdown
CRITICAL333HIGH633MEDIUM542LOW42
Vulnerabilities
Page 52 of 78
CVE-2022-45405P4MEDIUMCVSS 6.5fixed in firefox 107.0-1 (sid)2022
CVE-2022-45405 [MEDIUM] CVE-2022-45405: firefox - Freeing arbitrary <code>nsIInputStream</code>'s on a different thread than creat...
Freeing arbitrary nsIInputStream's on a different thread than creation could have led to a use-after-free and potentially exploitable crash. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Scope: local
sid: resolved (fixed in 107.0-1)
debian
CVE-2023-25752P4MEDIUMCVSS 6.5fixed in firefox 111.0-1 (sid)2023
CVE-2023-25752 [MEDIUM] CVE-2023-25752: firefox - When accessing throttled streams, the count of available bytes needed to be chec...
When accessing throttled streams, the count of available bytes needed to be checked in the calling function to be within bounds. This may have lead future code to be incorrect and vulnerable. This vulnerability affects Firefox < 111, Firefox ESR < 102.9, and Thunderbird < 102.9.
Scope: local
sid: resolved (fixed in 111.0-1)
debian
CVE-2022-31744P4MEDIUMCVSS 6.5fixed in firefox 101.0-1 (sid)2022
CVE-2022-31744 [MEDIUM] CVE-2022-31744: firefox - An attacker could have injected CSS into stylesheets accessible via internal URI...
An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR < 91.11, Thunderbird < 102, Thunderbird < 91.11, and Firefox < 101.
Scope: local
sid: resolved (fixed in 101.0-1)
debian
CVE-2023-4575P4MEDIUMCVSS 6.5fixed in firefox 117.0-1 (sid)2023
CVE-2023-4575 [MEDIUM] CVE-2023-4575: firefox - When creating a callback over IPC for showing the File Picker window, multiple o...
When creating a callback over IPC for showing the File Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, Fi
debian
CVE-2023-4574P4MEDIUMCVSS 6.5fixed in firefox 117.0-1 (sid)2023
CVE-2023-4574 [MEDIUM] CVE-2023-4574: firefox - When creating a callback over IPC for showing the Color Picker window, multiple ...
When creating a callback over IPC for showing the Color Picker window, multiple of the same callbacks could have been created at a time and eventually all simultaneously destroyed as soon as one of the callbacks finished. This could have led to a use-after-free causing a potentially exploitable crash. This vulnerability affects Firefox < 117, Firefox ESR < 102.15, F
debian
CVE-2022-45420P4MEDIUMCVSS 6.5fixed in firefox 107.0-1 (sid)2022
CVE-2022-45420 [MEDIUM] CVE-2022-45420: firefox - Use tables inside of an iframe, an attacker could have caused iframe contents to...
Use tables inside of an iframe, an attacker could have caused iframe contents to be rendered outside the boundaries of the iframe, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
Scope: local
sid: resolved (fixed in 107.0-1)
debian
CVE-2024-10462P4MEDIUMCVSS 6.5fixed in firefox 132.0-1 (sid)2024
CVE-2024-10462 [MEDIUM] CVE-2024-10462: firefox - Truncation of a long URL could have allowed origin spoofing in a permission prom...
Truncation of a long URL could have allowed origin spoofing in a permission prompt. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Scope: local
sid: resolved (fixed in 132.0-1)
debian
CVE-2024-10465P4MEDIUMCVSS 6.5fixed in firefox 132.0-1 (sid)2024
CVE-2024-10465 [MEDIUM] CVE-2024-10465: firefox - A clipboard "paste" button could persist across tabs which allowed a spoofing at...
A clipboard "paste" button could persist across tabs which allowed a spoofing attack. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
Scope: local
sid: resolved (fixed in 132.0-1)
debian
CVE-2024-7529P4MEDIUMCVSS 6.5fixed in firefox 129.0-1 (sid)2024
CVE-2024-7529 [MEDIUM] CVE-2024-7529: firefox - The date picker could partially obscure security prompts. This could be used by ...
The date picker could partially obscure security prompts. This could be used by a malicious site to trick a user into granting permissions. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
Scope: local
sid: resolved (fixed in 129.0-1)
debian
CVE-2023-6211P4MEDIUMCVSS 6.5fixed in firefox 120.0-1 (sid)2023
CVE-2023-6211 [MEDIUM] CVE-2023-6211: firefox - If an attacker needed a user to load an insecure http: page and knew that user h...
If an attacker needed a user to load an insecure http: page and knew that user had enabled HTTPS-only mode, the attacker could have tricked the user into clicking to grant an HTTPS-only exception if they could get the user to participate in a clicking game. This vulnerability affects Firefox < 120.
Scope: local
sid: resolved (fixed in 120.0-1)
debian
CVE-2023-3482P4MEDIUMCVSS 6.5fixed in firefox 115.0-1 (sid)2023
CVE-2023-3482 [MEDIUM] CVE-2023-3482: firefox - When Firefox is configured to block storage of all cookies, it was still possibl...
When Firefox is configured to block storage of all cookies, it was still possible to store data in localstorage by using an iframe with a source of 'about:blank'. This could have led to malicious websites storing tracking data without permission. This vulnerability affects Firefox < 115.
Scope: local
sid: resolved (fixed in 115.0-1)
debian
CVE-2021-23986P4MEDIUMCVSS 6.5fixed in firefox 87.0-1 (sid)2021
CVE-2021-23986 [MEDIUM] CVE-2021-23986: firefox - A malicious extension with the 'search' permission could have installed a new se...
A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read by the extension, allowing a same-origin policy bypass by the extension, which should not have cross-origin permissions. This cross-origin request was made without co
debian
CVE-2019-7317P4MEDIUMCVSS 5.3fixed in firefox 67.0-2 (sid)2019
CVE-2019-7317 [MEDIUM] CVE-2019-7317: firefox - png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free becau...
png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.
Scope: local
sid: resolved (fixed in 67.0-2)
debian
CVE-2025-9181P4MEDIUMCVSS 6.5fixed in firefox 142.0-1 (sid)2025
CVE-2025-9181 [MEDIUM] CVE-2025-9181: firefox - Uninitialized memory in the JavaScript Engine component. This vulnerability affe...
Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Scope: local
sid: resolved (fixed in 142.0-1)
debian
CVE-2024-11708P4MEDIUMCVSS 6.5fixed in firefox 133.0-1 (sid)2024
CVE-2024-11708 [MEDIUM] CVE-2024-11708: firefox - Missing thread synchronization primitives could have led to a data race on membe...
Missing thread synchronization primitives could have led to a data race on members of the PlaybackParams structure. This vulnerability affects Firefox < 133 and Thunderbird < 133.
Scope: local
sid: resolved (fixed in 133.0-1)
debian
CVE-2025-1013P4MEDIUMCVSS 6.5fixed in firefox 135.0-1 (sid)2025
CVE-2025-1013 [MEDIUM] CVE-2025-1013: firefox - A race condition could have led to private browsing tabs being opened in normal ...
A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135.
Scope: local
sid: resolved (fixed in 135.0-1)
debian
CVE-2025-6429P4MEDIUMCVSS 6.5fixed in firefox 140.0-1 (sid)2025
CVE-2025-6429 [MEDIUM] CVE-2025-6429: firefox - Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com ...
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
Scope: local
s
debian
CVE-2025-5271P4MEDIUMCVSS 6.5fixed in firefox 139.0-1 (sid)2025
CVE-2025-5271 [MEDIUM] CVE-2025-5271: firefox - Previewing a response in Devtools ignored CSP headers, which could have allowed ...
Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139 and Thunderbird < 139.
Scope: local
sid: resolved (fixed in 139.0-1)
debian
CVE-2026-3846P4MEDIUMCVSS 6.5fixed in firefox 148.0.2-1 (sid)2026
CVE-2026-3846 [MEDIUM] CVE-2026-3846: firefox - Same-origin policy bypass in the CSS Parsing and Computation component. This vul...
Same-origin policy bypass in the CSS Parsing and Computation component. This vulnerability affects Firefox < 148.0.2.
Scope: local
sid: resolved (fixed in 148.0.2-1)
debian
CVE-2005-2414P4LOWCVSS 2.6PoCfixed in firefox 1.5.dfsg-1 (sid)2005
CVE-2005-2414 [LOW] CVE-2005-2414: firefox - Race condition in the xpcom library, as used by web browsers such as Firefox, Mo...
Race condition in the xpcom library, as used by web browsers such as Firefox, Mozilla, Netscape, and Galeon, allows remote attackers to cause a denial of service (application crash) via a large HTML file that loads a DOM call from within nested DIV tags, which causes part of the currently rendering page and referenced objects to be deleted.
Scope: local
sid: resolved (
debian