Firefox 138 Patches Multiple High-Severity Security Flaws

The Mozilla Foundation has released Firefox 138, addressing multiple high-impact security vulnerabilities that posed serious risks to users across desktop and mobile platforms.

The security advisory, MFSA 2025-28, details a range of flaws-several of which could enable attackers to escalate privileges, execute arbitrary code, or compromise sensitive user data.

Major Vulnerabilities Patched

The most severe vulnerabilities fixed in Firefox 138 include:

• CVE-2025-2817: Privilege Escalation in Firefox Updater
  A flaw in the update mechanism allowed medium-integrity user processes to interfere with the SYSTEM-level updater by manipulating file-locking behavior.
• Attackers could inject code into a user-privileged process, bypassing access controls and enabling SYSTEM-level file operations on user-controlled paths. This enabled privilege escalation from a non-privileged user to SYSTEM.
• CVE-2025-4082: WebGL Shader Attribute Memory Corruption (macOS only)
  On macOS, modification of certain WebGL shader attributes could trigger an out-of-bounds read.
• When chained with other vulnerabilities, this could result in privilege escalation or arbitrary code execution. Other platforms were not affected.
• CVE-2025-4083: Process Isolation Bypass via javascript: URIs
  Improper handling of javascript: URIs in cross-origin frames allowed content to execute in the top-level document’s process rather than its intended frame.
• This process isolation bypass could facilitate a sandbox escape, undermining browser security boundaries.
• CVE-2025-4092: Memory Safety Bugs
  Multiple memory safety bugs, some enabling memory corruption, were fixed. With sufficient effort, attackers could exploit these flaws to run arbitrary code.

Additional Notable Issues

• CVE-2025-4085: Attackers controlling a content process could leverage the privileged UITour actor for information leakage or privilege escalation.
• CVE-2025-4086: Specially crafted filenames with many encoded newline characters could obscure file extensions in the download dialog (Android only).
• CVE-2025-4087: Unsafe attribute access during XPath parsing could trigger undefined behavior and memory corruption due to missing null checks.
• CVE-2025-4088: Redirects via the Storage Access API could enable cross-site request forgery (CSRF) attacks.
• CVE-2025-4089: The “copy as cURL” command failed to properly escape special characters, potentially leading to local code execution.
• CVE-2025-4090: On Android, sensitive library paths could be leaked via Logcat.

Technical Summary Table

Security Recommendations

Mozilla urges all users to update to Firefox 138 immediately to mitigate these vulnerabilities.

Organizations should prioritize patching, especially where browsers are used with elevated privileges or in sensitive environments.

No evidence currently suggests these flaws are being actively exploited in the wild.

For technical details and the full list of fixes, consult the official Mozilla Security Advisory MFSA 2025-28.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates