The Mozilla Foundation released three critical security advisories on November 11, 2025, addressing 16 unique vulnerabilities across multiple Firefox versions and platforms.
The updates target Firefox 145, Firefox ESR 115.30, and Firefox ESR 140.5, with 12 vulnerabilities rated High impact and an additional 14 rated Moderate, affecting millions of users worldwide.
| CVE ID | Product | Vulnerability Type | Severity |
|---|---|---|---|
| CVE-2025-13012 | Firefox ESR 115.30 | Race condition | High |
| CVE-2025-13013 | Firefox ESR 115.30 | Mitigation bypass | Moderate |
| CVE-2025-13014 | Firefox ESR 115.30 | Use-after-free | Moderate |
| CVE-2025-13015 | Firefox ESR 115.30 | Spoofing issue | Low |
| CVE-2025-13012 | Firefox ESR 140.5 | Race condition | High |
| CVE-2025-13016 | Firefox ESR 140.5 | Incorrect boundary conditions | High |
| CVE-2025-13017 | Firefox ESR 140.5 | Same-origin policy bypass | Moderate |
| CVE-2025-13018 | Firefox ESR 140.5 | Mitigation bypass | Moderate |
| CVE-2025-13019 | Firefox ESR 140.5 | Same-origin policy bypass | Moderate |
| CVE-2025-13020 | Firefox ESR 140.5 | Use-after-free | Moderate |
| CVE-2025-13021 | Firefox 145 | Incorrect boundary conditions | High |
| CVE-2025-13022 | Firefox 145 | Incorrect boundary conditions | High |
| CVE-2025-13023 | Firefox 145 | Sandbox escape | High |
| CVE-2025-13024 | Firefox 145 | JIT miscompilation | High |
| CVE-2025-13025 | Firefox 145 | Incorrect boundary conditions | High |
| CVE-2025-13026 | Firefox 145 | Sandbox escape | High |
| CVE-2025-13027 | Firefox 145 | Memory safety bugs | High |
The most severe flaws enable remote code execution and sandbox escape attacks through WebGPU graphics processing vulnerabilities, JavaScript engine miscompilation, and race conditions in the Graphics component.
According to Mozilla’s impact classification, High-impact vulnerabilities can be exploited by attackers to run arbitrary code and install malicious software requiring no user interaction beyond regular browsing activity.
Several sandbox escape vulnerabilities, listed as CVE-2025-13023 and CVE-2025-13026, represent particularly critical threats because they bypass Firefox’s security sandbox isolation mechanism.
The vulnerability landscape reveals concerning patterns in critical components. WebGPU graphics processing emerges as a significant attack surface, with five separate boundary condition flaws identified.
Researchers from security teams, including Qrious Secure’s Project KillFuzz, identified JIT compilation issues that could lead to arbitrary code execution via specially crafted JavaScript payloads.
Additionally, multiple Same-origin policy bypasses affecting DOM components could allow attackers to access sensitive data from sites in other browser windows or inject malicious code into legitimate web properties.
Firefox ESR versions received patches addressing critical memory safety vulnerabilities through collective bug fixes (CVE-2025-13027).
These long-term support releases serve enterprise and organizational deployments that require extended version stability, making prompt patching essential for institutional security posture.
Mozilla recommends immediate updating to the latest versions: Firefox 145, Firefox ESR 140.5, or Firefox ESR 115.30.
Users can access updates through automatic update mechanisms or by visiting Mozilla’s official website.
The advisory details clarify that exploiting these vulnerabilities requires attackers to deliver malicious content via compromised websites or through network attacks.
Yet, the lack of user interaction beyond standard browsing behavior significantly increases risk exposure across the user base.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
