Medium severity4.8NVD Advisory· Published May 27, 2025· Updated Apr 13, 2026
CVE-2025-5265
CVE-2025-5265
Description
Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
Affected products
2cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.24.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <139.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/advisories/mfsa2025-42/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-43/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-44/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
- www.mozilla.org/security/advisories/mfsa2025-45/nvd
- www.mozilla.org/security/advisories/mfsa2025-46/nvd
News mentions
0No linked articles in our index yet.