CVE-2025-5265
- Source
- https://cve.org/CVERecord?id=CVE-2025-5265
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5265.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-5265
- Downstream
- Related
- Published
- 2025-05-27T13:15:22.303Z
- Modified
- 2026-03-15T22:51:11.475126Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This bug only affects Firefox for Windows. Other versions of Firefox are unaffected. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
- References
-
- https://www.mozilla.org/security/advisories/mfsa2025-42/
- https://www.mozilla.org/security/advisories/mfsa2025-43/
- https://www.mozilla.org/security/advisories/mfsa2025-44/
- https://www.mozilla.org/security/advisories/mfsa2025-45/
- https://www.mozilla.org/security/advisories/mfsa2025-46/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1962301
Affected packages
Git /
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5265.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"fixed": "115.24.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "139.0"
}
]
},
{
"events": [
{
"introduced": "116.0"
},
{
"fixed": "128.11.0"
}
]
}
]