Description
Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
Published: 2025-04-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Patch Immediately
AI Analysis

Impact

Mozilla’s copy as cURL functionality does not escape certain special characters properly, allowing an attacker to embed malicious code into the generated command string. If a user copies that command and executes it in a terminal or shell, the payload can run with the user’s privileges, resulting in local code execution on the host system. This breach would give the attacker full control over the compromised machine, enabling further attack steps such as persistence, data exfiltration, or lateral movement. The flaw represents a classic instance of CWE-138 (Improper Escaping of Special Characters) and CWE-77 (OS Command Injection).

Affected Systems

The vulnerability affects Mozilla Firefox and Mozilla Thunderbird browsers. Both products were patched in their 138th release, rendering all versions prior to 138 susceptible to the flaw. No other browsers or products are known to be impacted.

Risk and Exploitability

The CVSS score of 5.1 places the weakness in the medium severity band, while the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. Because the attack requires a user to run the copied command, it relies on social engineering; an attacker must first lure a user into executing the code. The vulnerability is not listed in CISA’s KEV catalog. Nonetheless, local code execution represents a high‑impact outcome for the affected user and should not be dismissed.

Generated by OpenCVE AI on April 21, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch in Firefox 138 or later or newer Thunderbird releases, which corrects the escaping flaw identified as CWE-138 and mitigates OS command injection (CWE-77).
  • If upgrading immediately is not possible, disable the "copy as cURL" feature entirely to eliminate the injection vector—removing or hiding the context‑menu entry ensures the malicious command string can never be generated by the browser.
  • Restrict user privileges to the minimum necessary for web browsing; running the browser under a non‑privileged user account limits the damage that could result from inadvertent execution of a malicious command.

Generated by OpenCVE AI on April 21, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12655 Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 138 and Thunderbird < 138.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 138 and Thunderbird < 138. Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
Title firefox: thunderbird: Potential local code execution in "copy as cURL" command Potential local code execution in "copy as cURL" command

Fri, 09 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Fri, 02 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Potential local code execution in "copy as cURL" command
Weaknesses CWE-138
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 29 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 29 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
Description Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 138 and Thunderbird < 138.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:48.766Z

Reserved: 2025-04-29T13:13:44.377Z

Link: CVE-2025-4089

cve-icon Vulnrichment

Updated: 2025-04-29T15:38:41.023Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T14:15:35.537

Modified: 2026-04-13T15:17:00.560

Link: CVE-2025-4089

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-04-29T13:13:45Z

Links: CVE-2025-4089 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses