Mozilla Foundation Security Advisory 2025-52

Security Vulnerabilities fixed in Firefox ESR 115.25

Announced

June 24, 2025

Impact

high

Products

Firefox ESR

Fixed in

Firefox ESR 115.25

#CVE-2025-6424: Use-after-free in FontFaceSet

Reporter: LJP and HexRabbit (DEVCORE Research Team)
Impact: high

Description

A use-after-free in FontFaceSet resulted in a potentially exploitable crash.

References

Bug 1966423

#CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID

Reporter: Rob Wu
Impact: moderate

Description

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles.

References

Bug 1717672

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising

Mozilla Builders

Mozilla New Products

Mozilla Foundation Security Advisory 2025-52

Security Vulnerabilities fixed in Firefox ESR 115.25

#CVE-2025-6424: Use-after-free in FontFaceSet

Description

References

#CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID

Description

References