Vulnerability Description
Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 115.24.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1950001Permissions Required
- https://www.mozilla.org/security/advisories/mfsa2025-42/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-43/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-44/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-45/
- https://www.mozilla.org/security/advisories/mfsa2025-46/
- https://lists.debian.org/debian-lts-announce/2025/05/msg00043.html
- https://lists.debian.org/debian-lts-announce/2025/05/msg00046.html
FAQ
What is CVE-2025-5264?
CVE-2025-5264 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's s...
How severe is CVE-2025-5264?
CVE-2025-5264 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-5264?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.