High severity7.8NVD Advisory· Published Jun 11, 2025· Updated Apr 13, 2026

CVE-2025-5687

Description

A vulnerability in Mozilla VPN on macOS allows privilege escalation from a normal user to root. *This bug only affects Mozilla VPN on macOS. Other operating systems are unaffected.*. This vulnerability was fixed in Mozilla VPN 2.28.0 (macOS).

Affected products

Mozilla Corporation/VPN
cpe:2.3:a:mozilla:vpn:*:*:*:*:*:macos:*:*
Range: <2.28.0

Patches

bb7d5d629849

version decrease (#10525)

https://github.com/mozilla-mobile/mozilla-vpn-clientMCleinmanMay 23, 2025via osv

commit

1 file changed · +1 −1

version.txt+1 −1 modified
```
@@ -1 +1 @@
-2.29.0
+2.28.0
```

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.mozilla.org/security/advisories/mfsa2025-48/nvdVendor Advisory
bugzilla.mozilla.org/show_bug.cginvdPermissions Required

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000