Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN720
_____________________________________________________________________

DATE                : 22/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Firefox versions prior to 140.4,
                                     115.29, 144.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2025-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-81/
_____________________________________________________________________


Mozilla Foundation Security Advisory 2025-83
Security Vulnerabilities fixed in Firefox ESR 140.4

Announced
    October 14, 2025
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 140.4

#CVE-2025-11708: Use-after-free in MediaTrackGraphImpl::GetInstance()

Reporter
    Irvan Kurniawan
Impact
    high

Description

Use-after-free in MediaTrackGraphImpl::GetInstance()

References

    Bug 1988931


#CVE-2025-11709: Out of bounds read/write in a privileged process
triggered by WebGL textures

Reporter
    Oskar L
Impact
    high

Description

A compromised web process was able to trigger out of bounds reads and
writes in a more privileged process using manipulated WebGL textures.

References

    Bug 1989127


#CVE-2025-11710: Cross-process information leaked due to malicious IPC
messages

Reporter
    Oskar L
Impact
    high

Description

A compromised web process using malicious IPC messages could have caused
the privileged browser process to reveal blocks of its memory to the
compromised process.
References

    Bug 1989899


#CVE-2025-11711: Some non-writable Object properties could be modified

Reporter
    EntryHi
Impact
    high

Description

There was a way to change the value of JavaScript Object properties that
were supposed to be non-writeable.
References

    Bug 1989978


#CVE-2025-11712: An OBJECT tag type attribute overrode browser behavior
on web resources without a content-type

Reporter
    Masato Kinugawa
Impact
    moderate

Description

A malicious page could have used the type attribute of an OBJECT tag to
override the default browser behavior when encountering a web resource
served without a content-type. This could have contributed to an XSS on
a site that unsafely serves files without a content-type header.

References

    Bug 1979536


#CVE-2025-11713: Potential user-assisted code execution in “Copy as cURL”
command

Reporter
    Hafiizh & kang ali
Impact
    moderate

Description

Insufficient escaping in the “Copy as cURL” feature could have been used to
trick a user into executing unexpected code on Windows. This did not affect
Firefox running on other operating systems.

References

    Bug 1986142


#CVE-2025-11714: Memory safety bugs fixed in Firefox ESR 115.29, Firefox
ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

Reporter
    The Mozilla Fuzzing Team
Impact
    high

Description

Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3,
Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4,
Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144


#CVE-2025-11715: Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird
ESR 140.4, Firefox 144 and Thunderbird 144

Reporter
    The Mozilla Fuzzing Team
Impact
    high

Description

Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3,
Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these
could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR
140.4, Firefox 144 and Thunderbird 144

_____________________________________________________________________


Mozilla Foundation Security Advisory 2025-82
Security Vulnerabilities fixed in Firefox ESR 115.29

Announced
    October 14, 2025
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 115.29

#CVE-2025-11709: Out of bounds read/write in a privileged process
triggered by WebGL textures

Reporter
    Oskar L
Impact
    high

Description

A compromised web process was able to trigger out of bounds reads and
writes in a more privileged process using manipulated WebGL textures.

References

    Bug 1989127


#CVE-2025-11710: Cross-process information leaked due to malicious IPC
messages

Reporter
    Oskar L
Impact
    high

Description

A compromised web process using malicious IPC messages could have caused
the privileged browser process to reveal blocks of its memory to the
compromised process.

References

    Bug 1989899


#CVE-2025-11711: Some non-writable Object properties could be modified

Reporter
    EntryHi
Impact
    high

Description

There was a way to change the value of JavaScript Object properties that
were supposed to be non-writeable.

References

    Bug 1989978


#CVE-2025-11714: Memory safety bugs fixed in Firefox ESR 115.29, Firefox
ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

Reporter
    The Mozilla Fuzzing Team
Impact
    high

Description

Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3,
Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs
showed evidence of memory corruption and we presume that with enough
effort some of these could have been exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4,
Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144


_____________________________________________________________________


Mozilla Foundation Security Advisory 2025-81
Security Vulnerabilities fixed in Firefox 144

Announced
    October 14, 2025
Impact
    high
Products
    Firefox
Fixed in

        Firefox 144

#CVE-2025-11708: Use-after-free in MediaTrackGraphImpl::GetInstance()

Reporter
    Irvan Kurniawan
Impact
    high

Description

Use-after-free in MediaTrackGraphImpl::GetInstance()
References

    Bug 1988931


#CVE-2025-11709: Out of bounds read/write in a privileged process
triggered by WebGL textures

Reporter
    Oskar L
Impact
    high

Description

A compromised web process was able to trigger out of bounds reads
and writes in a more privileged process using manipulated WebGL
textures.

References

    Bug 1989127


#CVE-2025-11710: Cross-process information leaked due to malicious IPC
messages

Reporter
    Oskar L
Impact
    high

Description

A compromised web process using malicious IPC messages could have caused
the privileged browser process to reveal blocks of its memory to the
compromised process.

References

    Bug 1989899


#CVE-2025-11711: Some non-writable Object properties could be modified

Reporter
    EntryHi
Impact
    high

Description

There was a way to change the value of JavaScript Object properties that
were supposed to be non-writeable.

References

    Bug 1989978


#CVE-2025-11716: Sandboxed iframes allowed links to open in external apps
(Android only)

Reporter
    Axel Chong (@Haxatron)
Impact
    moderate

Description

Links in a sandboxed iframe could open an external app on Android without
the required "allow-" permission.

References

    Bug 1818679


#CVE-2025-11717: The password edit screen was not hidden in Android card
view

Reporter
    msd
Impact
    moderate

Description

When switching between Android apps using the card carousel Firefox shows
a black screen as its card image when a password-related screen was the
last one being used. Prior to Firefox 144 the password edit screen was
visible.

References

    Bug 1872601


#CVE-2025-11712: An OBJECT tag type attribute overrode browser behavior on
web resources without a content-type

Reporter
    Masato Kinugawa
Impact
    moderate

Description

A malicious page could have used the type attribute of an OBJECT tag to
override the default browser behavior when encountering a web resource
served without a content-type. This could have contributed to an XSS on
a site that unsafely serves files without a content-type header.

References

    Bug 1979536


#CVE-2025-11718: Address bar could be spoofed on Android using
visibilitychange

Reporter
    Hafiizh & kang ali
Impact
    moderate

Description

When the address bar was hidden due to scrolling on Android, a malicious
page could create a fake address bar to fool the user in response to a
visibilitychange event

References

    Bug 1980808


#CVE-2025-11713: Potential user-assisted code execution in “Copy as cURL”
command

Reporter
    Hafiizh & kang ali
Impact
    moderate

Description

Insufficient escaping in the “Copy as cURL” feature could have been used
to trick a user into executing unexpected code on Windows. This did not
affect Firefox running on other operating systems.

References

    Bug 1986142


#CVE-2025-11719: Use-after-free caused by the native messaging web
extension API on Windows

Reporter
    Filip Štamcar
Impact
    moderate

Description

Starting in Firefox 143, the use of the native messaging API by web
extensions on Windows could lead to crashes caused by use-after-free
memory corruption.

References

    Bug 1991950


#CVE-2025-11720: Spoofing risk in Android custom tabs

Reporter
    Michel Le Bihan
Impact
    low

Description

The Firefox and Firefox Focus UI for the Android custom tab feature
only showed the "site" that was loaded, not the full hostname. User
supplied content hosted on a subdomain of a site could have been used
to fool a user into thinking it was content from a different subdomain
of that site.

References

    Bug 1979534
    Bug 1984370


#CVE-2025-11714: Memory safety bugs fixed in Firefox ESR 115.29, Firefox
ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

Reporter
    The Mozilla Fuzzing Team
Impact
    high

Description

Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3,
Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these
bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary
code.

References

    Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4,
Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144


#CVE-2025-11715: Memory safety bugs fixed in Firefox ESR 140.4,
Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

Reporter
    The Mozilla Fuzzing Team
Impact
    high

Description

Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3,
Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort some of these
could have been exploited to run arbitrary code.

References

    Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4,
Firefox 144 and Thunderbird 144


#CVE-2025-11721: Memory safety bug fixed in Firefox 144 and Thunderbird 144

Reporter
    None
Impact
    high

Description

Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed
evidence of memory corruption and we presume that with enough effort this
could have been exploited to run arbitrary code.

References

    Memory safety bug fixed in Firefox 144 and Thunderbird 144



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================