Mozilla has rolled out Firefox 145, addressing a series of high-severity vulnerabilities that could allow attackers to execute arbitrary code on users’ systems.
Announced on November 11, 2025, the release patches flaws primarily in the browser’s graphics, JavaScript, and DOM components, urging immediate upgrades to mitigate risks from potential exploits.
The update tackles 15 CVEs, with eight rated high impact, four moderate, and one low. A standout issue is CVE-2025-13027, a cluster of memory safety bugs discovered by Mozilla’s Fuzzing Team in Firefox 144 and Thunderbird 144.
These flaws showed signs of memory corruption, and experts believe determined attackers could exploit them to achieve remote code execution, bypassing browser sandboxes and compromising entire devices.
Such vulnerabilities often stem from buffer overflows or improper memory handling, making them prime targets for sophisticated malware campaigns.
Firefox 145 – Security Update
Graphics and WebGPU components bore the brunt of the fixes. CVE-2025-13021, CVE-2025-13022, and CVE-2025-13025 reported by Atte Kettunen and Oskar L, involve incorrect boundary conditions in WebGPU processing.
These could trigger out-of-bounds reads or writes, potentially leading to crashes or code injection during the rendering of malicious web content.
More alarmingly, CVE-2025-13023 and CVE-2025-13026 enable sandbox escapes, allowing restricted code to escape the sandbox and access sensitive system resources.
Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a feature increasingly targeted as web apps grow more graphics-intensive.
JavaScript-related flaws add to the urgency. CVE-2025-13016, from Igor Morgenstern, fixes boundary errors in WebAssembly, while CVE-2025-13024, uncovered by Project KillFuzz of Qrious Secure, resolves JIT miscompilation that could optimize malicious code for execution.
A race condition in the Graphics component (CVE-2025-13012, by Irvan Kurniawan) further risks timing-based attacks.
Moderate-impact issues include same-origin policy bypasses in DOM components (CVEs-2025-13017, -13019) and mitigations in security and HTML parsing (CVEs-2025-13018, -13013).
WebRTC vulnerabilities like use-after-free errors (CVEs-2025-13020, -13014) could expose audio/video streams, while a low-impact spoofing bug (CVE-2025-13015) affects UI integrity.
| CVE ID | Component | Description |
|---|---|---|
| CVE-2025-13021 | Graphics: WebGPU | Incorrect boundary conditions |
| CVE-2025-13022 | Graphics: WebGPU | Incorrect boundary conditions |
| CVE-2025-13012 | Graphics | Race condition |
| CVE-2025-13023 | Graphics: WebGPU | Sandbox escape due to incorrect boundary conditions |
| CVE-2025-13016 | JavaScript: WebAssembly | Incorrect boundary conditions |
| CVE-2025-13024 | JavaScript Engine: JIT | JIT miscompilation |
| CVE-2025-13025 | Graphics: WebGPU | Incorrect boundary conditions |
| CVE-2025-13026 | Graphics: WebGPU | Sandbox escape due to incorrect boundary conditions |
| CVE-2025-13017 | DOM: Notifications | Same-origin policy bypass |
| CVE-2025-13018 | DOM: Security | Mitigation bypass |
| CVE-2025-13019 | DOM: Workers | Same-origin policy bypass |
| CVE-2025-13013 | DOM: Core & HTML | Mitigation bypass |
| CVE-2025-13020 | WebRTC: Audio/Video | Use-after-free |
| CVE-2025-13014 | Audio/Video | Use-after-free |
| CVE-2025-13015 | Firefox | Spoofing issue |
| CVE-2025-13027 | Multiple (Memory safety) | Memory safety bugs fixed in Firefox 145 and Thunderbird 145; evidence of memory corruption, potential for arbitrary code execution |
Mozilla emphasizes that no in-the-wild exploitation has been confirmed, but the high impact, especially the potential for arbitrary code execution, warrants swift action. Users on unpatched versions face elevated risks from drive-by downloads or phishing sites.
The advisory also covers Thunderbird 145 for similar memory issues. To stay secure, download Firefox 145 from mozilla.org or enable auto-updates. Enterprises should scan for vulnerable instances and review WebGPU usage in custom apps.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
