Mozilla has rolled out Firefox 145, addressing a sequence of high-severity vulnerabilities that would permit attackers to execute arbitrary code on customers’ techniques.
Introduced on November 11, 2025, the discharge patches flaws primarily within the browser’s graphics, JavaScript, and DOM parts, urging quick upgrades to mitigate dangers from potential exploits.
The replace tackles 15 CVEs, with eight rated excessive influence, 4 average, and one low. A standout subject is CVE-2025-13027, a cluster of reminiscence security bugs found by Mozilla’s Fuzzing Crew in Firefox 144 and Thunderbird 144.
These flaws confirmed indicators of reminiscence corruption, and specialists consider decided attackers might exploit them to attain distant code execution, bypassing browser sandboxes and compromising whole gadgets.
Such vulnerabilities usually stem from buffer overflows or improper reminiscence dealing with, making them prime targets for stylish malware campaigns.
Firefox 145 – Safety Replace
Graphics and WebGPU parts bore the brunt of the fixes. CVE-2025-13021, CVE-2025-13022, and CVE-2025-13025 reported by Atte Kettunen and Oskar L, contain incorrect boundary circumstances in WebGPU processing.
These might set off out-of-bounds reads or writes, doubtlessly resulting in crashes or code injection throughout the rendering of malicious internet content material.
Extra alarmingly, CVE-2025-13023 and CVE-2025-13026 allow sandbox escapes, permitting restricted code to flee the sandbox and entry delicate system sources.
Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a characteristic more and more focused as internet apps develop extra graphics-intensive.
JavaScript-related flaws add to the urgency. CVE-2025-13016, from Igor Morgenstern, fixes boundary errors in WebAssembly, whereas CVE-2025-13024, uncovered by Mission KillFuzz of Qrious Safe, resolves JIT miscompilation that would optimize malicious code for execution.
A race situation within the Graphics element (CVE-2025-13012, by Irvan Kurniawan) additional dangers timing-based assaults.
Reasonable-impact points embody same-origin coverage bypasses in DOM parts (CVEs-2025-13017, -13019) and mitigations in safety and HTML parsing (CVEs-2025-13018, -13013).
WebRTC vulnerabilities like use-after-free errors (CVEs-2025-13020, -13014) might expose audio/video streams, whereas a low-impact spoofing bug (CVE-2025-13015) impacts UI integrity.
CVE IDComponentDescriptionCVE-2025-13021Graphics: WebGPUIncorrect boundary conditionsCVE-2025-13022Graphics: WebGPUIncorrect boundary conditionsCVE-2025-13012GraphicsRace conditionCVE-2025-13023Graphics: WebGPUSandbox escape because of incorrect boundary conditionsCVE-2025-13016JavaScript: WebAssemblyIncorrect boundary conditionsCVE-2025-13024JavaScript Engine: JITJIT miscompilationCVE-2025-13025Graphics: WebGPUIncorrect boundary conditionsCVE-2025-13026Graphics: WebGPUSandbox escape because of incorrect boundary conditionsCVE-2025-13017DOM: NotificationsSame-origin coverage bypassCVE-2025-13018DOM: SecurityMitigation bypassCVE-2025-13019DOM: WorkersSame-origin coverage bypassCVE-2025-13013DOM: Core & HTMLMitigation bypassCVE-2025-13020WebRTC: Audio/VideoUse-after-freeCVE-2025-13014Audio/VideoUse-after-freeCVE-2025-13015FirefoxSpoofing issueCVE-2025-13027Multiple (Reminiscence security)Reminiscence security bugs fastened in Firefox 145 and Thunderbird 145; proof of reminiscence corruption, potential for arbitrary code execution
Mozilla emphasizes that no in-the-wild exploitation has been confirmed, however the excessive influence, particularly the potential for arbitrary code execution, warrants swift motion. Customers on unpatched variations face elevated dangers from drive-by downloads or phishing websites.
The advisory additionally covers Thunderbird 145 for related reminiscence points. To remain safe, obtain Firefox 145 from mozilla.org or allow auto-updates. Enterprises ought to scan for weak situations and evaluation WebGPU utilization in customized apps.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
