CVE-2025-4084

Description

Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10.

PUBLISHED Reserved 2025-04-29 | Published 2025-04-29 | Updated 2026-04-13 | Assigner mozilla

Product status

Credits

Ameen Basha M K

References

lists.debian.org/debian-lts-announce/2025/05/msg00022.html

bugzilla.mozilla.org/...i?bug_id=1949994%2C1956698%2C1960198

www.mozilla.org/security/advisories/mfsa2025-29/

www.mozilla.org/security/advisories/mfsa2025-30/

www.mozilla.org/security/advisories/mfsa2025-32/

cve.org (CVE-2025-4084)

nvd.nist.gov (CVE-2025-4084)

Download JSON