PT-2025-22990 · Mozilla+4 · Firefox+4

Ameen Basha M K

Published

2025-05-27

Updated

2025-12-03

CVE-2025-5265

CVSS v3.1

4.8

Medium

Vector

AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 139 Firefox ESR versions prior to 115.24 Firefox ESR versions prior to 128.11

Description The issue arises from insufficient escaping of the ampersand character in the "Copy as cURL" feature. This could allow an attacker to trick a user into executing a command, potentially leading to local code execution on the user's system. This bug only affects Firefox for Windows, with other versions of Firefox being unaffected.

Recommendations For Firefox versions prior to 139, update to version 139 or later. For Firefox ESR versions prior to 115.24, update to version 115.24 or later. For Firefox ESR versions prior to 128.11, update to version 128.11 or later.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

ALT-PU-2025-11100

ALT-PU-2025-11495

ALT-PU-2025-11497

ALT-PU-2025-14599

ALT-PU-2025-8611

ALT-PU-2025-8725

BDU:2025-06221

CVE-2025-5265

OESA-2025-1835

OPENSUSE-SU-2025-20135-1

OPENSUSE-SU-2025:15170-1

OPENSUSE-SU-2025:15174-1

OPENSUSE-SU-2025:15196-1

OPENSUSE-SU-2025:15315-1

OPENSUSE-SU-2025:20135-1

SUSE-SU-2025:01769-1

SUSE-SU-2025:01814-1

SUSE-SU-2025:01946-1

SUSE-SU-2025:21170-1

SUSE-SU-2025_01769-1

SUSE-SU-2025_01814-1

USN-7663-1

Affected Products

Alt Linux

Firefox

Linuxmint

Suse

Ubuntu

PT-2025-22990 · Mozilla+4 · Firefox+4

CVE-2025-5265

Weakness Enumeration

Related Identifiers

Affected Products

References · 211