Mozilla has today released Firefox 141, addressing a broad spectrum of security vulnerabilities that range from high-impact memory safety bugs to moderate issues in URL handling and sandboxing.
The new release, announced on July 22, 2025, under Mozilla Foundation Security Advisory 2025-56, patches eighteen distinct CVEs that collectively close potential avenues for arbitrary code execution, cross-origin data leaks, and privilege escalation.
Given the severity of several flaws, including multiple memory corruption issues and a Just-In-Time (JIT) compilation bug, users are advised to update their installations without delay.
The most critical defects fixed in Firefox 141 include two high-severity flaws in the JavaScript engine.
| CVE | Description | Impact |
| CVE-2025-8027 | JavaScript engine only wrote partial return value to stack | High |
| CVE-2025-8028 | Large branch table could lead to truncated instruction | High |
| CVE-2025-8041 | Incorrect URL truncation in Firefox for Android | Moderate |
| CVE-2025-8042 | Sandboxed iframe could start downloads | Moderate |
| CVE-2025-8029 | javascript: URLs executed on object and embed tags | Moderate |
| CVE-2025-8036 | DNS rebinding circumvents CORS | Moderate |
| CVE-2025-8037 | Nameless cookies shadow secure cookies | Moderate |
| CVE-2025-8030 | Potential user-assisted code execution in “Copy as cURL” command | Moderate |
| CVE-2025-8043 | Incorrect URL truncation | Moderate |
| CVE-2025-8031 | Incorrect URL stripping in CSP reports | Moderate |
| CVE-2025-8032 | XSLT documents could bypass CSP | Moderate |
| CVE-2025-8038 | CSP frame-src was not correctly enforced for paths | Low |
| CVE-2025-8039 | Search terms persisted in URL bar | Low |
| CVE-2025-8033 | Incorrect JavaScript state machine for generators | Low |
| CVE-2025-8044 | Memory safety bugs fixed in Firefox 141 and Thunderbird 141 | High |
| CVE-2025-8034 | Memory safety bugs fixed in various ESR and release channels | High |
| CVE-2025-8040 | Memory safety bugs fixed in ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 | High |
| CVE-2025-8035 | Memory safety bugs fixed in ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird 140 | High |
CVE-2025-8027 resolved a situation on 64-bit platforms where the IonMonkey JIT backend only wrote half of a return value on the stack, while the Baseline JIT read the full 64-bit space, risking unpredictable behavior and potential code execution.
CVE-2025-8028 corrects a WASM branch table error on ARM64 where large jump tables could yield truncated instructions, miscalculating branch addresses and destabilizing runtime execution.
In addition, the advisory incorporates three umbrella CVEs—CVE-2025-8034, CVE-2025-8035, and CVE-2025-8040—that consolidate numerous memory safety vulnerabilities discovered via Mozilla’s fuzzing infrastructure, some of which exhibited signs of exploitable memory corruption.
Firefox users on older ESR (Extended Support Release) channels benefit as well, since many of the memory safety fixes also propagate to ESR 115.26, 128.13, and 140.1.
Security-conscious organizations should prioritize rollout of Firefox 141 across managed endpoints, given the demonstrable risk associated with remote exploitation of JIT and memory corruption defects.
Mozilla’s commitment to rapid remediation through its bug bounty and fuzzing programs underscores the importance of maintaining up-to-date browser deployments.
All users of Firefox, particularly those on Linux and Windows 64-bit systems or ARM64 devices, should update immediately.
The new release is available via the browser’s built-in updater, direct download from Mozilla’s website, and through major distribution channels.
Delaying this upgrade exposes systems to known vulnerabilities that cyber-attackers could weaponize to compromise data integrity or execute arbitrary code.
Updating to Firefox 141 ensures protection against these flaws and maintains the highest level of browser security and stability.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now