Mozilla releases Firefox patches, fixes 15 vulnerabilities including sandbox escape flaws
Take action: Update your Firefox browser and Thunderbird email client. Firefox fixed two sandbox escape vulnerabilities in WebGPU that could let attackers break out of the browser and run code on your computer. There are no exploits yet, but your browser and email client are the first line of access to the internet, so they will stumble on the exploits first. Better to update, all tabs reopen automatically.
Learn More
Mozilla has released Firefox 145 on November 11, 2025, patching 15 security vulnerabilities in the browser's graphics rendering engine, JavaScript processing capabilities, and security boundaries.
Several vulnerabilities enable attackers to escape browser sandboxes and execute arbitrary code on compromised systems.
The most critical threats in this security update are the two sandbox escape vulnerabilities, CVE-2025-13023 and CVE-2025-13026, both affecting Firefox's WebGPU implementation. Modern web browsers employ sandboxing as a fundamental security mechanism to isolate potentially malicious web content from the underlying operating system. When properly implemented, sandboxes prevent compromised renderer processes from accessing sensitive system resources, reading files, or executing arbitrary code outside the browser's controlled environment.
The high-severity vulnerabilities patched in Firefox 145 are:
- CVE-2025-13021 - Incorrect boundary conditions in the Graphics: WebGPU component
- CVE-2025-13022 - Incorrect boundary conditions in the Graphics: WebGPU component
- CVE-2025-13023 - Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component
- CVE-2025-13024 - JIT miscompilation in the JavaScript Engine: JIT component
- CVE-2025-13025 - Incorrect boundary conditions in the Graphics: WebGPU component
- CVE-2025-13026 - Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component
- CVE-2025-13012 - Race condition in the Graphics component
- CVE-2025-13016 - Incorrect boundary conditions in the JavaScript: WebAssembly component
- CVE-2025-13027 - Memory safety bugs fixed in Firefox 145 and Thunderbird 145
The moderate-severity vulnerabilities are:
- CVE-2025-13017 - Same-origin policy bypass in the DOM: Notifications component
- CVE-2025-13018 - Mitigation bypass in the DOM: Security component
- CVE-2025-13019 - Same-origin policy bypass in the DOM: Workers component
- CVE-2025-13013 - Mitigation bypass in the DOM: Core & HTML component
- CVE-2025-13020 - Use-after-free in the WebRTC: Audio/Video component
- CVE-2025-13014 - Use-after-free in the Audio/Video component
The low-severity vulnerability is:
- CVE-2025-13015 - Spoofing issue in Firefox
As of the advisory date, there have been no reports of active exploitation of any vulnerabilities addressed in Firefox 145. However, security researchers and Mozilla's team emphasize that the high-impact nature of the patched flaws, especially the sandbox escape capabilities, memory safety bugs, and JIT compiler issues makes them attractive targets for advanced threat actors.
Mozilla strongly recommends that all Firefox users upgrade to version 145 immediately through the browser's built-in automatic update mechanism or by manually downloading the latest version from mozilla.org. Firefox's automatic update system will deliver security patches to most users within 24-48 hours of release, provided users have not disabled automatic updates.
