CVE-2025-5264

Description

Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

PUBLISHED Reserved 2025-05-27 | Published 2025-05-27 | Updated 2026-04-13 | Assigner mozilla

Product status

Credits

Ameen Basha M K

References

lists.debian.org/debian-lts-announce/2025/05/msg00046.html

lists.debian.org/debian-lts-announce/2025/05/msg00043.html

bugzilla.mozilla.org/show_bug.cgi?id=1950001

www.mozilla.org/security/advisories/mfsa2025-42/

www.mozilla.org/security/advisories/mfsa2025-43/

www.mozilla.org/security/advisories/mfsa2025-44/

www.mozilla.org/security/advisories/mfsa2025-45/

www.mozilla.org/security/advisories/mfsa2025-46/

cve.org (CVE-2025-5264)

nvd.nist.gov (CVE-2025-5264)

Download JSON