CVE-2025-5265

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This bug only affects Firefox for Windows. Other versions of Firefox are unaffected. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.

Published: May 27, 2025
Updated: Jun 12, 2025
CVE: CVE-2025-5265
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
mozilla / firefox	-	139.0
mozilla / firefox	-	115.24.0
mozilla / firefox	116.0	128.11.0

https://bugzilla.mozilla.org/show_bug.cgi?id=1962301
https://www.mozilla.org/security/advisories/mfsa2025-42/
https://www.mozilla.org/security/advisories/mfsa2025-43/
https://www.mozilla.org/security/advisories/mfsa2025-44/
https://www.mozilla.org/security/advisories/mfsa2025-45/
https://www.mozilla.org/security/advisories/mfsa2025-46/

Vulnerability Database

289,689

CVE-2025-5265