What vulnerabilities did Mozilla patch in their latest security update?

Mozilla released security updates patching multiple high-severity vulnerabilities in Firefox and Thunderbird. The updates address 13 vulnerabilities total, including seven rated as High severity and six rated as Moderate severity. These include use-after-free vulnerabilities, memory safety bugs, out-of-bounds read/write operations, cross-process information disclosure, and various spoofing and bypass issues.

What Mozilla products are affected by these vulnerabilities?

The vulnerabilities affect Mozilla Firefox, Firefox ESR (Extended Support Release), and Thunderbird email client, including both standard and ESR versions. Some vulnerabilities are specific to certain platforms, with several affecting Android versions and Windows systems specifically.

What are the most critical vulnerabilities in the Mozilla security update?

The most critical vulnerabilities include CVE-2025-11708 (use-after-free in MediaTrackGraphImpl with CVSS 9.8), CVE-2025-11709 (out-of-bounds read/write in WebGL textures with CVSS 9.8), CVE-2025-11710 (cross-process information disclosure with CVSS 9.8), CVE-2025-11721 (memory safety bug in Firefox 143 with CVSS 9.8), and CVE-2025-11714 and CVE-2025-11715 (memory safety bugs with CVSS 8.8).

What is CVE-2025-11708?

CVE-2025-11708 is a high-severity use-after-free vulnerability with a CVSS score of 9.8 in MediaTrackGraphImpl::GetInstance() that could lead to memory corruption. This type of vulnerability can potentially be exploited for remote code execution.

What is CVE-2025-11709?

CVE-2025-11709 is a high-severity vulnerability with a CVSS score of 9.8 involving out-of-bounds read/write operations in privileged processes that can be triggered through manipulated WebGL textures. This could potentially allow attackers to corrupt memory and execute arbitrary code.

What versions should users update to?

Users should update to Firefox 144, Firefox ESR 115.29 or 140.4, Thunderbird 144, or Thunderbird ESR 140.4. These patched versions address all the identified vulnerabilities and should be installed as soon as possible.

What types of vulnerabilities were patched in Mozilla products?

Mozilla patched various types of vulnerabilities including use-after-free bugs, memory safety issues with potential for code execution, out-of-bounds read/write operations, cross-process information disclosure, JavaScript Object property write protection bypasses, address bar spoofing on Android, sandboxed iframe permission bypasses, code execution through developer tools commands, and XSS vulnerabilities through OBJECT tag manipulation.

Are there Android-specific vulnerabilities in this Mozilla update?

Yes, several vulnerabilities specifically affect Android versions of Mozilla products. These include CVE-2025-11717 (password edit screen visibility issue in Android card view), CVE-2025-11720 (spoofing risk in Android custom tabs), CVE-2025-11716 (sandboxed iframe permission bypass on Android), and CVE-2025-11718 (address bar spoofing on Android using visibilitychange events).

What is the severity rating of the Mozilla vulnerabilities?

Mozilla patched 13 vulnerabilities with varying severity levels. Seven vulnerabilities are rated as High severity by Mozilla, with CVSS scores ranging from 6.5 to 9.8. Six vulnerabilities are rated as Moderate severity by Mozilla, with CVSS scores ranging from 6.1 to 9.8. Several vulnerabilities have CVSS scores of 9.8, indicating critical severity in the standard scoring system.

What should Firefox and Thunderbird users do about these vulnerabilities?

Users should immediately update their Mozilla products to the latest patched versions. Firefox users should update to version 144, Firefox ESR users should update to version 115.29 or 140.4, and Thunderbird users should update to version 144 or ESR 140.4. These updates address multiple high-severity vulnerabilities that could lead to memory corruption and code execution.

What is CVE-2025-11714?

CVE-2025-11714 is a high-severity vulnerability with a CVSS score of 8.8 involving multiple memory safety bugs affecting all Mozilla product versions. There is evidence of exploitable memory corruption, making this a significant security risk that could potentially be leveraged for code execution.

Advisory

Mozilla patches multiple high severity flaws in Firefox and Thunderbird

Q: Are Thunderbird users at risk from these vulnerabilities?

While Thunderbird is affected by these vulnerabilities, the risk is lower for typical email use. The vulnerabilities generally cannot be exploited through email because scripting is disabled when reading mail. However, they remain potential risks in browser or browser-like contexts within Thunderbird, so users should still update to the patched version.

published: Oct. 16, 2025

Take action: If you're using Mozilla Firefox or Thunderbird, time for a big update. Update to Firefox 144, Firefox ESR 115.29/140.4, or Thunderbird 144/ESR 140.4. There are multiple vulnerabilities and even if Mozilla hasn't ranked them critical, they may be exploited. Patching is very easy and all your tabs reopen. So don't ignore this update.

Learn More

Mozilla has released security updates patching multiple high-severity vulnerabilities in its Firefox and Thunderbird product lines

Vulnerabilities summary:

CVE-2025-11708 (CVSS score 9.8, Mozilla score High): Use-after-free vulnerability in MediaTrackGraphImpl::GetInstance() that could lead to memory corruption
CVE-2025-11709 ((CVSS score 9.8, Mozilla score High): Out-of-bounds read/write operations in privileged processes triggered through manipulated WebGL textures
CVE-2025-11710 (CVSS score 9.8, Mozilla score High): Cross-process information disclosure through malicious IPC messages exposing memory blocks
CVE-2025-11721 (CVSS score 9.8, Mozilla score High): Memory safety bug specific to Firefox 143 and Thunderbird 143 with potential for code execution
CVE-2025-11714 (CVSS score 8.8, Mozilla score High): Multiple memory safety bugs affecting all product versions with evidence of exploitable memory corruption
CVE-2025-11715 (CVSS score 8.8, Mozilla score High): Additional memory safety bugs in Firefox ESR 140.x and Thunderbird ESR 140.x branches
CVE-2025-11711 (CVSS score 6.5, Mozilla score High): Bypass of JavaScript Object property write protections allowing modification of non-writable properties
CVE-2025-11719 (CVSS score 9.8, Mozilla score Moderate): Use-after-free in native messaging web extension API on Windows
CVE-2025-11717 (CVSS score 9.1, Mozilla score Moderate): Password edit screen visibility issue in Android card view
CVE-2025-11713 (CVSS score 8.1, Mozilla score Moderate): Code execution through "Copy as cURL" command on Windows systems
CVE-2025-11720 (CVSS score 8.1, Mozilla score Moderate): Spoofing risk in Android custom tabs displaying incomplete hostname information
CVE-2025-11716 (CVSS score 6.5, Mozilla score Moderate): Sandboxed iframe permission bypass on Android
CVE-2025-11718 (CVSS score 6.5, Mozilla score Moderate): Address bar spoofing on Android using visibilitychange events
CVE-2025-11712 (CVSS score 6.1, Mozilla score Moderate): OBJECT tag type attribute override allowing XSS contributions

Users should update patches to Firefox 144, Firefox ESR 115.29 and 140.4, Thunderbird 144 or ESR 140.4. The vulnerabilities in Thunderbird, generally cannot be exploited through email because scripting is disabled when reading mail, but they remain potential risks in browser or browser-like contexts.

Mozilla patches multiple high severity flaws in Firefox and Thunderbird

Read More
Google releases October 2024 Android patches, fixes 26 …
Google releases July 2025 patch package including fix …
Google releases Android August patches, fixes at least …
Microsoft December 2025 patch Tuesday fixes one actively …
Active GithHub Phishing campaign impersonating GitHub Recruitment