Analysis Summary

CVE-2025-5263 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by error handling for script execution being incorrectly isolated from web content. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to allow cross-origin leak attacks.

CVE-2025-5264 CVSS:5.3

Mozilla Firefox could allow a local attacker to execute arbitrary code on the system, caused by insufficient escaping of the newline character in the “Copy as cURL” feature. By persuading a victim into using this command, an attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2025-5265 CVSS:7.8

Mozilla Firefox could allow a local attacker to execute arbitrary code on the system, caused by insufficient escaping of the ampersand character in the “Copy as cURL” feature. By persuading a victim into using this command, an attacker could exploit this vulnerability to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2025-5266 CVSS:6.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information. Script element events leak cross-origin resource status.

Impact

• Information Disclosure
• Denial of Service
• Code Execution

Indicators of Compromise

CVE

• CVE-2025-5263

• CVE-2025-5264

• CVE-2025-5265

• CVE-2025-5266

Affected Vendors

Affected Products

• Mozilla Firefox Esr - 128.10
• Mozilla Thunderbird - 138.0
• Mozilla Thunderbird - 128.10
• Mozilla Firefox - 138.0
• Mozilla Firefox ESR - 115.23

Remediation

Refer to the Mozilla Security Advisory for patch, upgrade, or suggested workaround information.

Mozilla Security Advisory