PT-2025-18148 · Mozilla+7 · Firefox Esr+10
Dong-Uk Kim
·
Published
2025-04-29
·
Updated
2026-04-14
·
CVE-2025-2817
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Mozilla Firefox versions prior to 138
Mozilla Firefox ESR versions prior to 128.10
Mozilla Firefox ESR versions prior to 115.23
Thunderbird versions prior to 138
Thunderbird ESR versions prior to 128.10
Description
The update mechanism in Mozilla Firefox allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, enabling SYSTEM-level file operations on paths controlled by a non-privileged user and allowing privilege escalation.
Recommendations
For Mozilla Firefox versions prior to 138, update to version 138 or later.
For Mozilla Firefox ESR versions prior to 128.10, update to version 128.10 or later.
For Mozilla Firefox ESR versions prior to 115.23, update to version 115.23 or later.
For Thunderbird versions prior to 138, update to version 138 or later.
For Thunderbird ESR versions prior to 128.10, update to version 128.10 or later.
Fix
LPE
Improper Access Control
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Firefox
Firefox Esr
Red Hat
Red Os
Rocky Linux
Suse
Thunderbird
Thunderbird Esr