Description
Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
Published: 2025-10-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: User-Assisted Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from insufficient escaping within the Copy as cURL command in Mozilla applications. When a user copies a request containing crafted characters and pastes it into a terminal or command prompt on Windows, the shell may interpret them as executable code, leading to unintended command execution. This flaw affords an attacker the ability to trigger arbitrary local code execution, effectively compromising the user's system whenever they interact with the sanitized cURL string. The weakness is a classic example of improper input escaping, reflected in CWE-116 and CWE-88.

Affected Systems

Mozilla Firefox versions prior to 144 and Firefox ESR 140.4, as well as Mozilla Thunderbird versions prior to 144 and Thunderbird ESR 140.4, are affected. The flaw only impacts Windows builds of these products; it does not affect macOS or Linux builds or Mozilla applications running on non‑Windows platforms. Users with legacy builds should check whether they use the Copy as cURL feature in a Windows environment.

Risk and Exploitability

The CVSS score of 8.1 classifies this as a high‑severity vulnerability. However, the EPSS score is below 1 %, indicating a very low probability of widespread exploitation in the near term. The flaw is not listed in CISA’s KEV catalog. It requires a user to copy the malicious cURL line and paste it into a Windows command shell, which is a user‑assisted attack vector. Successful exploitation would give an attacker local privileges on the victim machine and the ability to execute arbitrary commands.

Generated by OpenCVE AI on April 20, 2026 at 19:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 144 or Firefox ESR 140.4 and Thunderbird 144 or Thunderbird ESR 140.4, or any later releases that contain the patch.
  • If an upgrade is not immediately possible, disable the "Copy as cURL" feature in the browser or mail client settings to eliminate the attack surface until a patch is applied.
  • As an additional precaution, restrict the execution of commands entered via the Windows command prompt or PowerShell if the "Copy as cURL" functionality cannot be removed.

Generated by OpenCVE AI on April 20, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

Fri, 14 Nov 2025 15:30:00 +0000

Type Values Removed Values Added
Description Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect Firefox running on other operating systems. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4. Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Potential user-assisted code execution in “Copy as cURL” command Potential user-assisted code execution in “Copy as cURL” command

Mon, 20 Oct 2025 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Mon, 20 Oct 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Microsoft
Microsoft windows
Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 15 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Wed, 15 Oct 2025 12:30:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Potential user-assisted code execution in “Copy as cURL” command
Weaknesses CWE-88
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 14 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
Description Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect Firefox running on other operating systems. This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.
References

Subscriptions

Microsoft Windows
Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:43.716Z

Reserved: 2025-10-13T19:50:10.388Z

Link: CVE-2025-11713

cve-icon Vulnrichment

Updated: 2025-10-15T13:21:42.081Z

cve-icon NVD

Status : Modified

Published: 2025-10-14T13:15:37.567

Modified: 2026-04-13T15:16:40.177

Link: CVE-2025-11713

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-10-14T12:27:35Z

Links: CVE-2025-11713 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses