Firefox 141 Released With Fix for Multiple Vulnerabilities
Mozilla has released Firefox 141 to address 17 security vulnerabilities, including several high-impact flaws that could potentially allow arbitrary code execution.
The Mozilla Foundation Security Advisory, announced on July 22, 2025, urges users to update immediately to protect against these critical security issues.
Key Takeaways
1. Firefox 141 patches critical vulnerabilities that could allow code execution.
2. High-impact bugs affect core browser functions on 64-bit and ARM systems.
3. Mozilla urges immediate update to protect against these security risks.
JavaScript Engine and Memory Safety Flaws
The most severe vulnerabilities center around Firefox’s JavaScript engine and memory management systems.
CVE-2025-8027 represents a particularly dangerous flaw where the IonMonkey-JIT compiler only wrote 32 bits of a 64-bit return value to the stack on 64-bit platforms, while the Baseline-JIT read the entire 64 bits. This mismatch could lead to unpredictable behavior and potential code execution.
Another critical issue, CVE-2025-8028, affects ARM64 systems where WebAssembly br_table instructions with numerous entries could cause label truncation, resulting in incorrect branch address calculations.
The update also addresses multiple memory safety bugs tracked as CVE-2025-8044, CVE-2025-8034, CVE-2025-8040, and CVE-2025-8035, which Mozilla’s security team believes could be exploited for arbitrary code execution with sufficient effort.
Cross-Origin and Content Security Policy
Several vulnerabilities involved circumventing important web security mechanisms. CVE-2025-8036 allowed attackers to bypass Cross-Origin Resource Sharing (CORS) protections through DNS rebinding attacks, as Firefox cached CORS preflight responses across IP address changes.
The browser also suffered from Content Security Policy (CSP) bypass issues, including CVE-2025-8032 where XSLT document loading failed to propagate source document CSP restrictions.
Authentication credentials faced exposure risk through CVE-2025-8031, where username:password combinations weren’t properly stripped from URLs in CSP reports, potentially leaking HTTP Basic Authentication credentials.
Additionally, CVE-2025-8029 enabled execution of javascript: URLs when embedded in object and embed tags, creating another attack vector.
| CVE | Title | Impact |
| CVE-2025-8027 | JavaScript engine only wrote partial return value to stack | High |
| CVE-2025-8028 | Large branch table could lead to truncated instruction | High |
| CVE-2025-8044 | Memory safety bugs fixed in Firefox 141 and Thunderbird 141 | High |
| CVE-2025-8034 | Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 | High |
| CVE-2025-8040 | Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 | High |
| CVE-2025-8035 | Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 | High |
| CVE-2025-8041 | Incorrect URL truncation in Firefox for Android | Moderate |
| CVE-2025-8042 | Sandboxed iframe could start downloads | Moderate |
| CVE-2025-8029 | javascript: URLs executed on object and embed tags | Moderate |
| CVE-2025-8036 | DNS rebinding circumvents CORS | Moderate |
| CVE-2025-8037 | Nameless cookies shadow secure cookies | Moderate |
| CVE-2025-8030 | Potential user-assisted code execution in “Copy as cURL” command | Moderate |
| CVE-2025-8043 | Incorrect URL truncation | Moderate |
| CVE-2025-8031 | Incorrect URL stripping in CSP reports | Moderate |
| CVE-2025-8032 | XSLT documents could bypass CSP | Moderate |
| CVE-2025-8038 | CSP frame-src was not correctly enforced for paths | Low |
| CVE-2025-8039 | Search terms persisted in URL bar | Low |
| CVE-2025-8033 | Incorrect JavaScript state machine for generators | Low |
Android Fixes
Firefox for Android received specific attention with fixes for CVE-2025-8041 and CVE-2025-8042.
The first addressed incorrect URL truncation in the address bar, where URLs were shortened from the end rather than prioritizing the origin display.
The second vulnerability allowed sandboxed iframes without the allow-downloads attribute to initiate downloads, breaking the intended security sandbox.
The update also resolves cookie shadowing issues through CVE-2025-8037, where nameless cookies with equal signs could shadow secure cookies even when set over unencrypted HTTP connections.
Mozilla strongly recommends all Firefox users update immediately to version 141 to protect against these vulnerabilities, which range from high-impact memory corruption issues to moderate privacy and security bypasses.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
Source link
