Mozilla Foundation Security Advisory 2025-58

Security Vulnerabilities fixed in Firefox ESR 128.13

Announced

July 22, 2025

Impact

high

Products

Firefox ESR

Fixed in

Firefox ESR 128.13

#CVE-2025-8027: JavaScript engine only wrote partial return value to stack

Reporter: Nan Wang
Impact: high

Description

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits.

References

Bug 1968423

#CVE-2025-8028: Large branch table could lead to truncated instruction

Reporter: Gary Kwong
Impact: high

Description

On arm64, a WASM br_table instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address.

References

Bug 1971581

#CVE-2025-8029: javascript: URLs executed on object and embed tags

Reporter: Mirko Brodesser
Impact: moderate

Description

Firefox executed javascript: URLs when used in object and embed tags.

References

Bug 1928021

#CVE-2025-8030: Potential user-assisted code execution in “Copy as cURL” command

Reporter: Ameen Basha M K
Impact: moderate

Description

Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code.

References

Bug 1968414

#CVE-2025-8031: Incorrect URL stripping in CSP reports

Reporter: Tom Schuster
Impact: moderate

Description

The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials.

References

Bug 1971719

#CVE-2025-8032: XSLT documents could bypass CSP

Reporter: Joe Turki
Impact: moderate

Description

XSLT document loading did not correctly propagate the source document which bypassed its CSP.

References

Bug 1974407

#CVE-2025-8033: Incorrect JavaScript state machine for generators

Reporter: Shaheen Fazim
Impact: low

Description

The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref.

References

Bug 1973990

#CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

Reporter: the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

#CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

Reporter: the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog