Critical severity10.0NVD Advisory· Published Mar 27, 2025· Updated Apr 13, 2026
CVE-2025-2857
CVE-2025-2857
Description
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 3 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <136.0.4
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.21.1
- (no CPE)range: <128.8.1
- (no CPE)range: <136.0.4
- osv-coords3 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/mozjs128&distro=openSUSE%20Tumbleweed
< 128.9.0-1.1+ 2 more
- (no CPE)range: < 128.9.0-1.1
- (no CPE)range: < 136.0.4-1.1
- (no CPE)range: < 128.8.1-1.1
Patches
Vulnerability mechanics
References
4- www.cve.org/CVERecordnvdThird Party Advisory
- www.mozilla.org/security/advisories/mfsa2025-19/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
- issues.chromium.org/issues/405143032nvdPermissions Required
News mentions
0No linked articles in our index yet.