SB2025062449 - Multiple vulnerabilities in Mozilla Firefox

Security Bulletin ID SB2025062449

Severity

High

Patch available

YES

Number of vulnerabilities 13

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 13 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2025-6424)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in FontFaceSet. A remote attacker can trick the victim into opening a specially crafted website and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

2) Information disclosure (CVE-ID: CVE-2025-6425)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the WebCompat extension shipped with Firefox allows to enumerate resources and obtain a persistent UUID that identifies the browser, and persists between containers and normal/private browsing mode, but not profiles.

3) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2025-6426)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the terminal extension does not show a warning when opening an executable terminal filer on macOS. A remote attacker can trick the victim into executing an executable file and compromise the affected system.

Note, the vulnerability affects macOS installations only.

4) Input validation error (CVE-ID: CVE-2025-6429)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrect parsing of embedded URLs that led to URLs being rewritten to the youtube.com domain. A remote attacker can use a specially crafted embed tag to bypass website security checks that restricted which domains users were allowed to embed.

5) Protection Mechanism Failure (CVE-ID: CVE-2025-6430)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling embed or object tags. When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack.

6) Protection Mechanism Failure (CVE-ID: CVE-2025-6427)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. An attacker is able to bypass the connect-src directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools.

7) Spoofing attack (CVE-ID: CVE-2025-6428)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to Firefox for Android follows the URL provided in a link querystring parameter instead of the correct URL. A remote attacker can perform a phishing attack.

8) Insufficient UI Warning of Dangerous Operations (CVE-ID: CVE-2025-6431)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in Firefox for Android when opening URLs in external applications. A remote attacker can bypass the prompt asking for confirmation to open an URL in an external application.

9) Information disclosure (CVE-ID: CVE-2025-6432)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to DNS requests can be leaked outside of a configured SOCKS proxy. When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding.

10) Improperly implemented security check for standard (CVE-ID: CVE-2025-6433)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error when handling invalid TLS certificates. If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors".

11) Protection Mechanism Failure (CVE-ID: CVE-2025-6434)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP.

12) Input validation error (CVE-ID: CVE-2025-6435)

The vulnerability allows a remote attacker to manipulate file a downloaded extension.

The vulnerability exists due to insufficient validation of user-supplied input. If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the .download file extension. This could have led to the user inadvertently running a malicious executable.

13) Buffer overflow (CVE-ID: CVE-2025-6436)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

SB2025062449 - Multiple vulnerabilities in Mozilla Firefox

Breakdown by Severity

Description

Remediation

References