Mozilla Foundation Security Advisory 2025-53
Security Vulnerabilities fixed in Firefox ESR 128.12
- Announced
- June 24, 2025
- Impact
- high
- Products
- Firefox ESR
- Fixed in
-
- Firefox ESR 128.12
#CVE-2025-6424: Use-after-free in FontFaceSet
- Reporter
- LJP and HexRabbit (DEVCORE Research Team)
- Impact
- high
Description
A use-after-free in FontFaceSet resulted in a potentially exploitable crash.
References
#CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID
- Reporter
- Rob Wu
- Impact
- moderate
Description
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles.
References
#CVE-2025-6426: No warning when opening executable terminal files on macOS
- Reporter
- pwn2car
- Impact
- moderate
Description
The executable file warning did not warn users before opening files with the terminal extension.
This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.
References
#CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com
- Reporter
- Masato Kinugawa
- Impact
- moderate
Description
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed.
References
#CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag
- Reporter
- Daniil Satyaev (Positive Technologies)
- Impact
- moderate
Description
When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack.