Severity
Medium
Analysis Summary
CVE-2025-5272 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2025-5271 CVSS:4.3
Mozilla Firefox is vulnerable to a content injection attack when previewing a response in Devtools ignored CSP headers.
CVE-2025-5270 CVSS:6.5
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by SNI being sent unencrypted even when encrypted DNS was enabled. By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information.
CVE-2025-5269 CVSS:8.8
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Impact
- Code Execution
- Denial of Service
- Information Disclosure
Indicators of Compromise
CVE
CVE-2025-5269
CVE-2025-5270
CVE-2025-5271
CVE-2025-5272
Affected Vendors
Affected Products
- Mozilla Thunderbird - 138.0.1
- Mozilla Firefox - 138.0.3
Remediation
Refer to the Mozilla Security Advisory for patch, upgrade, or suggested workaround information.