Mozilla has launched Firefox 141 to handle 17 safety vulnerabilities, together with a number of high-impact flaws that would doubtlessly permit arbitrary code execution.
The Mozilla Basis Safety Advisory, introduced on July 22, 2025, urges customers to replace instantly to guard towards these crucial safety points.
Key Takeaways1. Firefox 141 patches crucial vulnerabilities that would permit code execution.2. Excessive-impact bugs have an effect on core browser capabilities on 64-bit and ARM methods.3. Mozilla urges instant replace to guard towards these safety dangers.
JavaScript Engine and Reminiscence Security Flaws
Essentially the most extreme vulnerabilities focus on Firefox’s JavaScript engine and reminiscence administration methods.
CVE-2025-8027 represents a very harmful flaw the place the IonMonkey-JIT compiler solely wrote 32 bits of a 64-bit return worth to the stack on 64-bit platforms, whereas the Baseline-JIT learn your entire 64 bits. This mismatch may result in unpredictable habits and potential code execution.
One other crucial challenge, CVE-2025-8028, impacts ARM64 methods the place WebAssembly br_table directions with quite a few entries may trigger label truncation, leading to incorrect department tackle calculations.
The replace additionally addresses a number of reminiscence security bugs tracked as CVE-2025-8044, CVE-2025-8034, CVE-2025-8040, and CVE-2025-8035, which Mozilla’s safety workforce believes could possibly be exploited for arbitrary code execution with ample effort.
Cross-Origin and Content material Safety Coverage
A number of vulnerabilities concerned circumventing essential internet safety mechanisms. CVE-2025-8036 allowed attackers to bypass Cross-Origin Useful resource Sharing (CORS) protections via DNS rebinding assaults, as Firefox cached CORS preflight responses throughout IP tackle modifications.
The browser additionally suffered from Content material Safety Coverage (CSP) bypass points, together with CVE-2025-8032 the place XSLT doc loading didn’t propagate supply doc CSP restrictions.
Authentication credentials confronted publicity danger via CVE-2025-8031, the place username:password mixtures weren’t correctly stripped from URLs in CSP stories, doubtlessly leaking HTTP Fundamental Authentication credentials.
Moreover, CVE-2025-8029 enabled execution of javascript: URLs when embedded in object and embed tags, creating one other assault vector.
CVETitleImpactCVE-2025-8027JavaScript engine solely wrote partial return worth to stackHighCVE-2025-8028Large department desk may result in truncated instructionHighCVE-2025-8044Memory security bugs fastened in Firefox 141 and Thunderbird 141HighCVE-2025-8034Memory security bugs fastened in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141HighCVE-2025-8040Memory security bugs fastened in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141HighCVE-2025-8035Memory security bugs fastened in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141HighCVE-2025-8041Incorrect URL truncation in Firefox for AndroidModerateCVE-2025-8042Sandboxed iframe may begin downloadsModerateCVE-2025-8029javascript: URLs executed on object and embed tagsModerateCVE-2025-8036DNS rebinding circumvents CORSModerateCVE-2025-8037Nameless cookies shadow safe cookiesModerateCVE-2025-8030Potential user-assisted code execution in “Copy as cURL” commandModerateCVE-2025-8043Incorrect URL truncationModerateCVE-2025-8031Incorrect URL stripping in CSP reportsModerateCVE-2025-8032XSLT paperwork may bypass CSPModerateCVE-2025-8038CSP frame-src was not appropriately enforced for pathsLowCVE-2025-8039Search phrases endured in URL barLowCVE-2025-8033Incorrect JavaScript state machine for generatorsLow
Android Fixes
Firefox for Android obtained particular consideration with fixes for CVE-2025-8041 and CVE-2025-8042.
The primary addressed incorrect URL truncation within the tackle bar, the place URLs had been shortened from the top fairly than prioritizing the origin show.
The second vulnerability allowed sandboxed iframes with out the allow-downloads attribute to provoke downloads, breaking the meant safety sandbox.
The replace additionally resolves cookie shadowing points via CVE-2025-8037, the place anonymous cookies with equal indicators may shadow safe cookies even when set over unencrypted HTTP connections.
Mozilla strongly recommends all Firefox customers replace instantly to model 141 to guard towards these vulnerabilities, which vary from high-impact reminiscence corruption points to reasonable privateness and safety bypasses.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
