Mozilla releases patches for multiple flaws in Firefox and Thunderbird, one critical

Mozilla has released Firefox 139 to address multiple security vulnerabilities, including one critical severity flaw that poses significant security risks to users. The update fixes ten vulnerabilities in Firefox and Thunderbird

The security update addresses the following vulnerabilities:

• MFSA-TMP-2025-0001 (no CVSS core, Mozilla tags as critical) - Double-free in libvpx encoder.  This flaw occurs in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC functionality. The vulnerability could cause memory corruption and lead to a potentially exploitable crash, allowing attackers to compromise user systems during video conferencing or other WebRTC-based activities.
• CVE-2025-5270 (CVSS score 7.5, Mozilla tags as low) - SNI sometimes sent unencrypted even when encrypted DNS enabled
• CVE-2025-5272 (CVSS score 7.3, Mozilla tags as moderate) Memory safety bugs specific to Firefox 138 and Thunderbird 138
• CVE-2025-5268 (CVSS score 6.5, Mozilla tags as moderate) Memory safety bugs in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10
• CVE-2025-5266 (CVSS score 6.5, Mozilla tags as moderate) Script element events leaked cross-origin resource status enabling XS-Leaks attacks
• CVE-2025-5271 (CVSS score 6.5, Mozilla tags as low) Devtools preview ignored CSP headers allowing content injection attacks
• CVE-2025-5267 (CVSS score 5.4, Mozilla tags as low) Clickjacking vulnerability could lead to leaking saved payment card details
• CVE-2025-5264 (CVSS score 4.8, Mozilla tags as moderate) Potential local code execution in "Copy as cURL" command due to insufficient newline escaping
• CVE-2025-5265 (CVSS score 4.8, Mozilla tags as moderate) Potential local code execution in "Copy as cURL" command due to insufficient ampersand escaping - Windows only
• CVE-2025-5263 (CVSS score 4.3, Mozilla tags as moderate) Error handling for script execution incorrectly isolated from web content

The "Copy as cURL" vulnerabilities (CVE-2025-5264 and CVE-2025-5265) could allow attackers to trick users into executing malicious commands on their local systems through insufficient character escaping. The cross-origin information leakage issues (CVE-2025-5263 and CVE-2025-5266) could enable sophisticated attack techniques that bypass same-origin security policies. The memory safety bugs show evidence of memory corruption that could potentially be exploited to achieve arbitrary code execution with sufficient effort.

All vulnerabilities have been resolved in Firefox 139, and users are strongly advised to update immediately to protect against potential exploitation.