Mozilla Foundation Security Advisory 2025-56
Security Vulnerabilities fixed in Firefox 141
- Announced
- July 22, 2025
- Impact
- high
- Products
- Firefox
- Fixed in
-
- Firefox 141
#CVE-2025-8027: JavaScript engine only wrote partial return value to stack
- Reporter
- Nan Wang
- Impact
- high
Description
On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits.
References
#CVE-2025-8028: Large branch table could lead to truncated instruction
- Reporter
- Gary Kwong
- Impact
- high
Description
On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address.
References
#CVE-2025-8041: Incorrect URL truncation in Firefox for Android
- Reporter
- Chris Peterson and Kirtikumar Anandrao Ramchandani
- Impact
- moderate
Description
In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin.
References
#CVE-2025-8042: Sandboxed iframe could start downloads
- Reporter
- Axel Chong (@Haxatron)
- Impact
- moderate
Description
Firefox for Android allowed a sandboxed iframe without the allow-downloads attribute to start downloads.
References
#CVE-2025-8029: javascript: URLs executed on object and embed tags
- Reporter
- Mirko Brodesser
- Impact
- moderate
Description
Firefox executed javascript: URLs when used in object and embed tags.
References
#CVE-2025-8036: DNS rebinding circumvents CORS
- Reporter
- Viktor Bocz
- Impact
- moderate
Description
Firefox cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding.
References
#CVE-2025-8037: Nameless cookies shadow secure cookies
- Reporter
- Uku Sõrmus
- Impact
- moderate
Description
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the Secure attribute.
References
#CVE-2025-8030: Potential user-assisted code execution in “Copy as cURL” command
- Reporter
- Ameen Basha M K
- Impact
- moderate
Description
Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code.
References
#CVE-2025-8043: Incorrect URL truncation
- Reporter
- alayersattackers
- Impact
- moderate
Description
Focus incorrectly truncated URLs towards the beginning instead of around the origin.
References
#CVE-2025-8031: Incorrect URL stripping in CSP reports
- Reporter
- Tom Schuster
- Impact
- moderate
Description
The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.
References
#CVE-2025-8032: XSLT documents could bypass CSP
- Reporter
- Joe Turki
- Impact
- moderate
Description
XSLT document loading did not correctly propagate the source document which bypassed its CSP.
References
#CVE-2025-8038: CSP frame-src was not correctly enforced for paths
- Reporter
- Laurin Weger
- Impact
- low
Description
Firefox ignored paths when checking the validity of navigations in a frame.
References
#CVE-2025-8039: Search terms persisted in URL bar
- Reporter
- Sören Hentzschel
- Impact
- low
Description
In some cases search terms persisted in the URL bar even after navigating away from the search page.
References
#CVE-2025-8033: Incorrect JavaScript state machine for generators
- Reporter
- Shaheen Fazim
- Impact
- low
Description
The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref.
References
#CVE-2025-8044: Memory safety bugs fixed in Firefox 141 and Thunderbird 141
- Reporter
- Akmat Suleimanov, Andrew McCreight
- Impact
- high
Description
Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
#CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
- Reporter
- the Mozilla Fuzzing Team
- Impact
- high
Description
Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
#CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
- Reporter
- Andrew McCreight, Ashley Zebrowski
- Impact
- high
Description
Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
#CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
- Reporter
- the Mozilla Fuzzing Team
- Impact
- high
Description
Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.