CVE-2025-4084
Potential local code execution in "copy as cURL" command
CVSS Score
5.7
EPSS Score
0.0%
EPSS Percentile
0th
Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10.
| Vendor | mozilla |
| Product | firefox |
| Ecosystems | |
| Industries | Technology |
| Published | Apr 29, 2025 |
| Last Updated | Apr 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for mozilla firefox
Be the first to know when new medium vulnerabilities affecting mozilla firefox are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Mozilla / Firefox
All versions affected Mozilla / Thunderbird
All versions affected References
bugzilla.mozilla.org: https://bugzilla.mozilla.org/buglist.cgi?bug_id=1949994%2C1956698%2C1960198 mozilla.org: https://www.mozilla.org/security/advisories/mfsa2025-29/ mozilla.org: https://www.mozilla.org/security/advisories/mfsa2025-30/ mozilla.org: https://www.mozilla.org/security/advisories/mfsa2025-32/ lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html
Credits
Ameen Basha M K