Mozilla released Firefox 145 on November 11, 2025, to address critical security vulnerabilities that could allow attackers to execute arbitrary code on users’ systems.
The update patches 16 CVEs affecting the browser’s graphics, JavaScript, and DOM components, with eight rated high severity.
The most critical issue is CVE-2025-13027, a cluster of memory safety bugs discovered by Mozilla’s Fuzzing Team in Firefox 144 and Thunderbird 144.
These flaws demonstrate memory corruption patterns that determined attackers could exploit to achieve remote code execution, potentially bypassing browser sandboxes and compromising entire devices.
WebGPU Vulnerabilities Pose Major Threat
The graphics and WebGPU components contained the most serious flaws. Security researchers Atte Kettunen and Oskar L reported CVE-2025-13021, CVE-2025-13022, and CVE-2025-13025, involving incorrect boundary conditions in WebGPU processing.
These vulnerabilities could trigger out-of-bounds memory access, leading to crashes or code injection when rendering malicious web content.
Most concerning are CVE-2025-13023 and CVE-2025-13026, which enable sandbox escapes.
These flaws allow restricted code to escape the browser’s security sandbox and access sensitive system resources.
As web applications increasingly leverage WebGPU for high-performance graphics rendering, these components have become attractive targets for attackers.
The JavaScript engine also contained critical vulnerabilities. CVE-2025-13016, discovered by Igor Morgenstern, fixes boundary errors in WebAssembly, while CVE-2025-13024 from Project KillFuzz addresses JIT miscompilation that could optimize malicious code for execution.
A race condition in graphics processing (CVE-2025-13012) creates additional timing-based attack opportunities.
Moderate-impact vulnerabilities include same-origin policy bypasses in DOM components (CVE-2025-13017, CVE-2025-13019) and mitigation bypasses (CVE-2025-13018, CVE-2025-13013).
WebRTC use-after-free errors (CVE-2025-13020, CVE-2025-13014) could expose audio and video streams.
Firefox 145 Security Vulnerabilities
| CVE ID | Severity | Component | Vulnerability Type |
|---|---|---|---|
| CVE-2025-13027 | High | Multiple (Memory safety) | Memory corruption |
| CVE-2025-13021 | High | Graphics: WebGPU | Incorrect boundary conditions |
| CVE-2025-13022 | High | Graphics: WebGPU | Incorrect boundary conditions |
| CVE-2025-13023 | High | Graphics: WebGPU | Sandbox escape |
| CVE-2025-13024 | High | JavaScript Engine: JIT | JIT miscompilation |
| CVE-2025-13025 | High | Graphics: WebGPU | Incorrect boundary conditions |
| CVE-2025-13026 | High | Graphics: WebGPU | Sandbox escape |
| CVE-2025-13016 | High | JavaScript: WebAssembly | Incorrect boundary conditions |
| CVE-2025-13012 | Moderate | Graphics | Race condition |
| CVE-2025-13017 | Moderate | DOM: Notifications | Same-origin policy bypass |
| CVE-2025-13018 | Moderate | DOM: Security | Mitigation bypass |
| CVE-2025-13019 | Moderate | DOM: Workers | Same-origin policy bypass |
| CVE-2025-13013 | Moderate | DOM: Core & HTML | Mitigation bypass |
| CVE-2025-13020 | Low | WebRTC: Audio/Video | Use-after-free |
| CVE-2025-13014 | Low | Audio/Video | Use-after-free |
| CVE-2025-13015 | Low | Firefox UI | Spoofing |
Mozilla reports no confirmed in-the-wild exploitation, but the high-impact nature of these vulnerabilities warrants immediate action.
Users on unpatched versions face elevated risks from drive-by downloads and phishing attacks.
Firefox users should immediately upgrade to version 145 via mozilla.org or enable automatic updates to protect against potential exploitation.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1068,580&ssl=1&description=The update patches 16 CVEs affecting the browser's graphics, JavaScript, and DOM components, with eight rated high severity.){kind=link}