Which Mozilla products are affected by these security vulnerabilities?

Mozilla has addressed these vulnerabilities across multiple product lines including Firefox 141, Firefox ESR versions (115.26, 128.13, and 140.1), and corresponding Thunderbird releases.

What are the most critical vulnerabilities in this Mozilla update?

The most critical vulnerabilities include CVE-2025-8027, CVE-2025-8028, and CVE-2025-8044, all with CVSS scores of 9.8. These involve JavaScript engine issues and memory safety bugs that could lead to arbitrary code execution.

What is CVE-2025-8027?

CVE-2025-8027 is a vulnerability where the JavaScript engine only wrote partial return value to stack, with a CVSS score of 9.8 but rated as high severity by Mozilla. This could potentially be exploited for arbitrary code execution.

What is CVE-2025-8028?

CVE-2025-8028 is a vulnerability where large branch table could lead to truncated instruction, with a CVSS score of 9.8 and rated as high severity by Mozilla. This represents a critical flaw in code execution handling.

How many memory safety bugs were fixed in this Mozilla update?

Multiple memory safety bugs were fixed, including CVE-2025-8044 (CVSS 9.8), CVE-2025-8034 (CVSS 8.8), CVE-2025-8035 (CVSS 8.8), CVE-2025-8040 (CVSS 8.8), and CVE-2025-8029 (CVSS 8.1). These bugs could potentially lead to arbitrary code execution.

Are there Firefox for Android-specific vulnerabilities?

Yes, this update addresses several Firefox for Android-specific vulnerabilities, including CVE-2025-8041 (incorrect URL truncation in Firefox for Android) and issues with URL truncation in the address bar and problems with sandboxed iframe download restrictions.

What CSP (Content Security Policy) vulnerabilities were fixed?

Several CSP-related vulnerabilities were fixed, including CVE-2025-8031 (incorrect URL stripping in CSP reports), CVE-2025-8038 (CSP frame-src not correctly enforced for paths), and CVE-2025-8032 (XSLT documents could bypass CSP).

Why do CVSS scores differ from Mozilla's severity ratings?

Mozilla uses its own internal severity assessment that may differ from the standard CVSS scoring system. For example, several vulnerabilities have CVSS scores of 9.8 but are rated as medium severity by Mozilla, reflecting different risk assessment methodologies and real-world exploitability considerations.

Are these Mozilla vulnerabilities being actively exploited?

No information has been disclosed regarding active exploitation of these vulnerabilities in the wild. Mozilla has not reported any known attacks using these security flaws.

What is Mozilla Foundation Security Advisory 2025-56?

Mozilla Foundation Security Advisory 2025-56 is the official security bulletin under which these Firefox and Thunderbird security updates were announced, documenting multiple high-severity and critical vulnerabilities that have been patched.

What URL-related vulnerabilities were fixed?

Several URL-related issues were addressed, including CVE-2025-8041 and CVE-2025-8043 (incorrect URL truncation), CVE-2025-8031 (incorrect URL stripping in CSP reports), and CVE-2025-8039 (search terms persisted in URL bar).

How should users protect themselves from these Mozilla vulnerabilities?

Users should immediately update to the latest versions: Firefox 141, Firefox ESR versions (115.26, 128.13, and 140.1), or the corresponding Thunderbird releases. Updates can typically be installed through the browser's built-in update mechanism or by downloading from Mozilla's official website.

What is the highest CVSS score among these Mozilla vulnerabilities?

The highest CVSS score is 9.8, assigned to multiple vulnerabilities including CVE-2025-8027, CVE-2025-8028, CVE-2025-8044, CVE-2025-8031, CVE-2025-8038, CVE-2025-8041, CVE-2025-8042, and CVE-2025-8043, indicating critical severity levels.

Were there any sandbox bypass vulnerabilities fixed?

Yes, CVE-2025-8042 addressed an issue where sandboxed iframe could start downloads, which represents a sandbox security bypass that could be exploited by malicious websites to circumvent security restrictions.

Advisory

Mozilla releases updates for Firefox, 18 vulnerabilities patched, multiple critical

published: July 23, 2025

Take action: Time to update your Mozilla Firefox, Thunderbird and the Firefox based browsers (Waterfox, LibreWolf, Zen...). Yes, there is a difference between the CVSS score severity and Mozilla severity. But realistically, it's much faster to just update the browser than burn time on debating the severity and then finding out that hackers did find a way to exploit it - after they hacked you. So update the browsers, all tabs reopen automatically.

Learn More

Mozilla has released Firefox and Thunderbird updates to patch multiple security vulnerabilities, including several high-severity / critical flaws that could potentially enable attackers to execute arbitrary code and compromise user systems

The security update, was announced under Mozilla Foundation Security Advisory 2025-56.

High-Severity Vulnerabilities (CVSS 8.8-9.8):

CVE-2025-8027 (CVSS score 9.8, Mozilla score high severity) - JavaScript engine only wrote partial return value to stack (CVSS score 6.5)
CVE-2025-8028 (CVSS score 9.8, Mozilla score high severity) - Large branch table could lead to truncated instruction
CVE-2025-8044 (CVSS score 9.8, Mozilla score high severity)- Memory safety bugs
CVE-2025-8031 (CVSS score 9.8, Mozilla score medium severity) - Incorrect URL stripping in CSP reports
CVE-2025-8038 (CVSS score 9.8, Mozilla score medium severity) - CSP frame-src was not correctly enforced for paths
CVE-2025-8041 (CVSS score 9.8 Mozilla score medium severity) - Incorrect URL truncation in Firefox for Android
CVE-2025-8042 (CVSS score 9.8, Mozilla score medium severity) - Sandboxed iframe could start downloads
CVE-2025-8043 (CVSS score 9.8, Mozilla score medium severity) - Incorrect URL truncation
CVE-2025-8037 (CVSS score 9.1, Mozilla score medium severity) - Nameless cookies shadow secure cookies
CVE-2025-8034(CVSS score 8.8, Mozilla score high severity) - Memory safety bugs
CVE-2025-8035 (CVSS score 8.8, Mozilla score high severity) - Memory safety bugs
CVE-2025-8040(CVSS score 8.8, Mozilla score high severity) - Memory safety bugs
CVE-2025-8029 (CVSS score 8.1, Mozilla score medium severity)- Memory safety bugs - JavaScript URLs executed on object and embed tags
CVE-2025-8030 (CVSS score 8.1, Mozilla score medium severity) - Potential user-assisted code execution in "Copy as cURL" command
CVE-2025-8032 (CVSS score 8.1, Mozilla score medium severity) - XSLT documents could bypass CSP
CVE-2025-8036 (CVSS score 8.1, Mozilla score medium severity) - DNS rebinding circumvents CORS
CVE-2025-8039 (CVSS score 8.1, Mozilla score low severity)- Search terms persisted in URL bar
CVE-2025-8033 (CVSS score 6.5, Mozilla score low severity) - Incorrect JavaScript state machine for generators

Beyond the security fixes, this update addresses several Firefox for Android-specific vulnerabilities, including issues with URL truncation in the address bar and problems with sandboxed iframe download restrictions.

Mozilla has addressed these vulnerabilities across multiple product lines:

Firefox 141,
Firefox ESR versions (115.26, 128.13, and 140.1),
Corresponding Thunderbird releases.

No information has been disclosed regarding active exploitation of these vulnerabilities in the wild.

Mozilla releases updates for Firefox, 18 vulnerabilities patched, multiple critical

Read More
Google releases November 2025 Android patch, fixes critical …
U.S. House bans WhatsApp on their devices due …
Adobe releases November 2024 updates for multiple products, …
Zenbleed critical flaw reported in AMD Ryzen 2 …
Instagram, TikTok and Yahoo leaking account data in …