Mozilla has launched Firefox 142 to deal with a number of high-severity safety vulnerabilities that would enable attackers to execute arbitrary code remotely on affected programs.
The safety advisory, printed on August 19, 2025, reveals 9 distinct vulnerabilities starting from sandbox escapes to reminiscence security bugs, with a number of categorised as high-impact threats able to enabling distant code execution (RCE).
Key Takeaways1. Firefox 142 patches 9 vulnerabilities, enabling distant code execution and sandbox escapes.2. Attackers can execute arbitrary code by way of reminiscence corruption and safety bypass exploits.3. Fast Firefox improve required to forestall distant assaults.
Essentially the most important vulnerabilities embrace CVE-2025-9179, a sandbox escape vulnerability within the Audio/Video GMP (Gecko Media Plugin) part reported by safety researcher Oskar.
This flaw permits reminiscence corruption inside the closely sandboxed GMP course of liable for dealing with encrypted media content material, probably permitting attackers to escalate privileges past the usual content material course of restrictions.
Mozilla RCE Vulnerabilities
The vulnerability panorama contains CVE-2025-9180, a same-origin coverage bypass affecting the Graphics Canvas2D part, found by researcher Tom Van Goethem.
This safety flaw undermines the basic net safety mannequin that stops cross-origin useful resource entry, probably enabling malicious web sites to entry delicate knowledge from different domains.
Three separate reminiscence security vulnerabilities pose important RCE dangers. CVE-2025-9187 impacts Firefox 141 and Thunderbird 141, whereas CVE-2025-9184 impacts Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141, and Thunderbird 141.
Essentially the most widespread concern, CVE-2025-9185, impacts a number of Prolonged Help Launch (ESR) variations together with Firefox ESR 115.26, 128.13, and 140.1, alongside their Thunderbird counterparts.
Mozilla’s safety group, together with researchers Andy Leiserson, Maurice Dauer, Sebastian Hengst, and the Mozilla Fuzzing Workforce, recognized these reminiscence corruption bugs that show clear proof of exploitability for arbitrary code execution.
Further vulnerabilities embrace CVE-2025-9181, an uninitialized reminiscence concern within the JavaScript Engine part reported by Irvan Kurniawan, and a number of other lower-severity points affecting handle bar spoofing and denial-of-service situations within the WebRender graphics part.
CVE IDTitleSeverityCVE-2025-9179Sandbox escape because of invalid pointer in Audio/Video GMP componentHighCVE-2025-9180Same-origin coverage bypass in Graphics Canvas2D componentHighCVE-2025-9181Uninitialized reminiscence in JavaScript Engine componentModerateCVE-2025-9182Denial-of-service because of out-of-memory in Graphics WebRender componentLowCVE-2025-9183Spoofing concern in Handle Bar componentLowCVE-2025-9184Memory security bugs in Firefox ESR 140.2/Thunderbird ESR 140.2/Firefox 142/Thunderbird 142HighCVE-2025-9185Memory security bugs in a number of ESR variations and Firefox 142/Thunderbird 142HighCVE-2025-9186Spoofing concern in Handle Bar part of Firefox Focus for AndroidLowCVE-2025-9187Memory security bugs in Firefox 142 and Thunderbird 142High
Mitigations
Organizations and particular person customers should prioritize fast updates to Firefox 142 to mitigate these important safety dangers.
The reminiscence security vulnerabilities notably concern enterprise environments, as they have an effect on each normal Firefox releases and ESR variations generally deployed in company settings.
Safety professionals ought to implement defense-in-depth methods, together with community segmentation, endpoint detection and response (EDR) options, and utility sandboxing applied sciences, to restrict potential exploitation impression.
The GMP sandbox escape vulnerability highlights the significance of course of isolation mechanisms, even inside already sandboxed environments.
Mozilla’s coordinated disclosure timeline and complete patch protection throughout a number of product branches show efficient vulnerability administration practices.
Nevertheless, the invention of reminiscence corruption points with RCE potential emphasizes the continuing safety challenges in fashionable browser structure, notably inside advanced media processing and graphics rendering subsystems that deal with untrusted content material from various net sources.
Safely detonate suspicious information to uncover threats, enrich your investigations, and reduce incident response time. Begin with an ANYRUN sandbox trial →
