Mozilla Firefox — свободный браузер на движке Gecko
Релизный цикл, информация об уязвимостях
График релизов
Количество 15 151
GHSA-8r38-4g4q-hgvw
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.
GHSA-823q-pcrj-c4xv
An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140.
GHSA-34r6-q8c8-23mx
When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140.
GHSA-9x34-3cq7-4hf6
The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.
GHSA-2h3c-qrcw-962q
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12.
GHSA-87c4-94w2-rw7j
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12.
GHSA-x8w4-qgw5-r433
Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 140.
CVE-2025-6436
Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 140 and Thunderbird < 140.
CVE-2025-6436
Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of ...
CVE-2025-6435
If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140 and Thunderbird < 140.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-8r38-4g4q-hgvw Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12. | CVSS3: 6.5 | 0% Низкий | 5 месяцев назад |
| GHSA-823q-pcrj-c4xv An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140. | CVSS3: 9.1 | 0% Низкий | 5 месяцев назад |
| GHSA-34r6-q8c8-23mx When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140. | CVSS3: 4.3 | 0% Низкий | 5 месяцев назад |
| GHSA-9x34-3cq7-4hf6 The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140 and Firefox ESR < 128.12. | CVSS3: 8.8 | 0% Низкий | 5 месяцев назад |
| GHSA-2h3c-qrcw-962q An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12. | CVSS3: 4.3 | 0% Низкий | 5 месяцев назад |
| GHSA-87c4-94w2-rw7j A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12. | CVSS3: 9.8 | 0% Низкий | 5 месяцев назад |
| GHSA-x8w4-qgw5-r433 Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 140. | CVSS3: 6.5 | 0% Низкий | 5 месяцев назад |
 | CVE-2025-6436 Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 140 and Thunderbird < 140. | CVSS3: 8.1 | 0% Низкий | 5 месяцев назад |
| CVE-2025-6436 Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of ... | CVSS3: 8.1 | 0% Низкий | 5 месяцев назад |
| CVE-2025-6435 If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140 and Thunderbird < 140. | CVSS3: 8.1 | 0% Низкий | 5 месяцев назад |
Уязвимостей на страницу