CVE-2025-11713

Insufficient escaping in the Copy as cURL feature could have been used to trick a user into executing unexpected code on Windows. This did not affect Firefox running on other operating systems. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
mozillaCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
firefox
sid
143.0.3-1
fixed
firefox-esr
bullseye
115.14.0esr-1~deb11u1
fixed
bullseye (security)
140.3.1esr-1~deb11u1
fixed
bookworm
128.14.0esr-1~deb12u1
fixed
bookworm (security)
140.3.1esr-1~deb12u1
fixed
trixie
128.14.0esr-1~deb13u1
fixed
trixie (security)
140.3.1esr-1~deb13u1
fixed
forky
140.3.1esr-2
fixed
sid
140.3.1esr-2
fixed
thunderbird
bullseye
1:115.12.0-1~deb11u1
fixed
bullseye (security)
1:140.3.0esr-1~deb11u1
fixed
bookworm
1:128.14.0esr-1~deb12u1
fixed
bookworm (security)
1:140.3.0esr-1~deb12u1
fixed
trixie
1:128.14.0esr-1~deb13u1
fixed
trixie (security)
1:140.3.0esr-1~deb13u1
fixed
forky
1:140.3.1esr-1
fixed
sid
1:140.3.1esr-1
fixed
Vulnerability Media Exposure
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1986142
https://www.mozilla.org/security/advisories/mfsa2025-81/
https://www.mozilla.org/security/advisories/mfsa2025-83/
https://www.mozilla.org/security/advisories/mfsa2025-84/
https://www.mozilla.org/security/advisories/mfsa2025-85/