Mozilla addresses multiple High-Severity flaws with Firefox 138 release

Mozilla has released Firefox 138, fixing several high-severity security vulnerabilities

High-Severity  Vulnerabilities per Mozilla

• CVE-2025-2817 (CVSS score 8.8) - a privilege escalation vulnerability in Firefox Updater. Allows medium-integrity user processes to interfere with SYSTEM-level updaters by manipulating file-locking behavior. By injecting code into user-privileged processes, attackers could bypass access controls, enabling SYSTEM-level file operations on paths controlled by non-privileged users.
• CVE-2025-4082 (CVSS score 8.8)  - a WebGL shader attribute memory corruption in Firefox for macOS. This vulnerability could trigger an out-of-bounds read which, when chained with other vulnerabilities, could be used to escalate privileges. This bug only affects Firefox for macOS.
• CVE-2025-4083 (CVSS score 9.3) - a process isolation bypass using "javascript:" URI links in cross-origin frames. This vulnerability could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape.
• CVE-2025-4092 (CVSS score 6.5): Tracked as memory safety bugs affecting Firefox 137 and Thunderbird 137. These bugs showed evidence of memory corruption and could potentially be exploited to run arbitrary code.

Medium and Low Severity Vulnerabilities

• CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor
• CVE-2025-4086: Specially crafted filename could be used to obscure download type (Firefox for Android only)
• CVE-2025-4087: Unsafe attribute access during XPath parsing
• CVE-2025-4088: Cross-site request forgery via storage access API redirects
• CVE-2025-4089: Potential local code execution in "copy as cURL" command
• CVE-2025-4091: Memory safety bugs affecting multiple products

There are currently no reports of these vulnerabilities being exploited in the wild. As a matter of good hygiene, users are  encouraged to update to Firefox 138.