Medium severity4.8NVD Advisory· Published May 27, 2025· Updated Apr 13, 2026
CVE-2025-5264
CVE-2025-5264
Description
Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
Affected products
2cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.24.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <139.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.mozilla.org/security/advisories/mfsa2025-42/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-43/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-44/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
- lists.debian.org/debian-lts-announce/2025/05/msg00043.htmlnvd
- lists.debian.org/debian-lts-announce/2025/05/msg00046.htmlnvd
- www.mozilla.org/security/advisories/mfsa2025-45/nvd
- www.mozilla.org/security/advisories/mfsa2025-46/nvd
News mentions
0No linked articles in our index yet.