Analysis Summary

CVE-2025-5272 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2025-5271 CVSS:4.3

Mozilla Firefox is vulnerable to a content injection attack when previewing a response in Devtools ignored CSP headers.

CVE-2025-5270 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by SNI being sent unencrypted even when encrypted DNS was enabled. By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information.

CVE-2025-5269 CVSS:8.8

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

Impact

• Code Execution
• Denial of Service
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-5269

• CVE-2025-5270

• CVE-2025-5271

• CVE-2025-5272

Affected Vendors

Affected Products

• Mozilla Thunderbird - 138.0.1
• Mozilla Firefox - 138.0.3

Remediation

Refer to the Mozilla Security Advisory for patch, upgrade, or suggested workaround information.

Mozilla Security Advisory