Firefox 138 Patches Multiple High-Severity Security Flaws

The Mozilla Foundation has released Firefox 138, addressing multiple high-impact security vulnerabilities that posed serious risks to users across desktop and mobile platforms.

The security advisory, MFSA 2025-28, details a range of flaws-several of which could enable attackers to escalate privileges, execute arbitrary code, or compromise sensitive user data.

Major Vulnerabilities Patched

The most severe vulnerabilities fixed in Firefox 138 include:

• CVE-2025-2817: Privilege Escalation in Firefox Updater
  A flaw in the update mechanism allowed medium-integrity user processes to interfere with the SYSTEM-level updater by manipulating file-locking behavior.
• Attackers could inject code into a user-privileged process, bypassing access controls and enabling SYSTEM-level file operations on user-controlled paths. This enabled privilege escalation from a non-privileged user to SYSTEM.
• CVE-2025-4082: WebGL Shader Attribute Memory Corruption (macOS only)
  On macOS, modification of certain WebGL shader attributes could trigger an out-of-bounds read.
• When chained with other vulnerabilities, this could result in privilege escalation or arbitrary code execution. Other platforms were not affected.
• CVE-2025-4083: Process Isolation Bypass via javascript: URIs
  Improper handling of javascript: URIs in cross-origin frames allowed content to execute in the top-level document’s process rather than its intended frame.
• This process isolation bypass could facilitate a sandbox escape, undermining browser security boundaries.
• CVE-2025-4092: Memory Safety Bugs
  Multiple memory safety bugs, some enabling memory corruption, were fixed. With sufficient effort, attackers could exploit these flaws to run arbitrary code.

Additional Notable Issues

• CVE-2025-4085: Attackers controlling a content process could leverage the privileged UITour actor for information leakage or privilege escalation.
• CVE-2025-4086: Specially crafted filenames with many encoded newline characters could obscure file extensions in the download dialog (Android only).
• CVE-2025-4087: Unsafe attribute access during XPath parsing could trigger undefined behavior and memory corruption due to missing null checks.
• CVE-2025-4088: Redirects via the Storage Access API could enable cross-site request forgery (CSRF) attacks.
• CVE-2025-4089: The “copy as cURL” command failed to properly escape special characters, potentially leading to local code execution.
• CVE-2025-4090: On Android, sensitive library paths could be leaked via Logcat.

Technical Summary Table

CVE ID	Impact	Component/Feature	Affected Platform(s)	Exploit Type
CVE-2025-2817	High	Updater	All	Privilege Escalation
CVE-2025-4082	High	WebGL Shader	macOS	Memory Corruption
CVE-2025-4083	High	javascript: URI Handling	All	Process Isolation Bypass
CVE-2025-4085	Moderate	UITour Actor	All	Info Leak/Privilege Escalation
CVE-2025-4086	Moderate	Download Dialog	Android	Obscured Download Type
CVE-2025-4087	Moderate	XPath Parsing	All	Memory Corruption
CVE-2025-4088	Moderate	Storage Access API	All	CSRF
CVE-2025-4089	Moderate	“Copy as cURL” Command	All	Local Code Execution
CVE-2025-4090	Low	Logcat Logging	Android	Info Leak
CVE-2025-4091/92	Moderate/High	General Memory Safety	All	Arbitrary Code Execution

Security Recommendations

Mozilla urges all users to update to Firefox 138 immediately to mitigate these vulnerabilities.

Organizations should prioritize patching, especially where browsers are used with elevated privileges or in sensitive environments.

No evidence currently suggests these flaws are being actively exploited in the wild.

For technical details and the full list of fixes, consult the official Mozilla Security Advisory MFSA 2025-28.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post Firefox 138 Patches Multiple High-Severity Security Flaws appeared first on Cyber Security News.