Description
Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10.
Published: 2025-04-29
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Immediate Patch
AI Analysis

Impact

The bug originates from insufficient escaping of special characters in the "copy as cURL" feature, which allows an attacker to inject shell code when a user copies a generated cURL command. The result is the execution of arbitrary commands on the victim’s machine, providing the attacker with the privileges of the user. The weakness aligns with CWE‑116 (Improper Encoding of Quotations and Escape Characters) and CWE‑138 (Improper Validation of Interpreted Characters).

Affected Systems

The vulnerability was identified only in Mozilla Firefox for Windows, affecting all ESR releases prior to 115.23 and prior to 128.10. It is also present in Mozilla Thunderbird ESR versions prior to 128.10.

Risk and Exploitability

The CVSS score of 5.7 classifies the issue as moderate; the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a victim to be tricked into using a maliciously crafted "copy as cURL" command; the attack vector is therefore largely user‑interactive and local. Should exploitation succeed, it would enable the attacker to execute code with the current user’s permissions, potentially leading to full system compromise if user privileges are high.

Generated by OpenCVE AI on April 21, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox ESR on Windows to version 115.23 or later, ensuring the "copy as cURL" command is properly escaped.
  • Upgrade Mozilla Thunderbird ESR to version 128.10 or later to remove the vulnerable code path.
  • For environments unable to upgrade immediately, restrict or disable the "copy as cURL" feature and educate users to avoid copying commands from untrusted sources.

Generated by OpenCVE AI on April 21, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4167-1 thunderbird security update
EUVD EUVD EUVD-2025-12687 Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox ESR < 128.10, Firefox ESR < 115.23, and Thunderbird < 128.10.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox ESR < 128.10, Firefox ESR < 115.23, and Thunderbird < 128.10. Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10.
Title firefox: thunderbird: Potential local code execution in "copy as cURL" command Potential local code execution in "copy as cURL" command

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Fri, 09 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Fri, 02 May 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 02 May 2025 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Thu, 01 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox ESR < 128.10, Firefox ESR < 115.23, and Thunderbird ESR < 128.10. Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox ESR < 128.10, Firefox ESR < 115.23, and Thunderbird < 128.10.

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Potential local code execution in "copy as cURL" command
Weaknesses CWE-138
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Tue, 29 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
Description Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox ESR < 128.10, Firefox ESR < 115.23, and Thunderbird ESR < 128.10.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:19.237Z

Reserved: 2025-04-29T13:13:37.330Z

Link: CVE-2025-4084

cve-icon Vulnrichment

Updated: 2025-11-03T19:58:50.272Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T14:15:35.097

Modified: 2026-04-13T15:16:59.670

Link: CVE-2025-4084

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-04-29T13:13:38Z

Links: CVE-2025-4084 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses