Description
Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.
Published: 2025-05-27
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution
Action: Patch
AI Analysis

Impact

The vulnerability arises from insufficient escaping of the ampersand character in the “Copy as cURL” feature, which allows an attacker to trick a user into executing a crafted command that can run arbitrary code locally. This flaw can lead to a complete compromise of the user’s system, exposing confidential data or allowing further malicious activity. The weakness is reflected in CWE‑116 and CWE‑77, indicating improper string handling and potential command injection.

Affected Systems

Mozilla Firefox for Windows is affected, with the issue fixed in version 139 and Firefox ESR 115.24 and 128.11. Mozilla Thunderbird is also affected and was patched in version 139 and Thunderbird ESR 128.11. Users running older builds of these browsers face the risk of exploitation.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, and the EPSS score of less than 1% shows a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV, further suggesting it has not been widely exploited. The attack requires user interaction to trigger the Copy as cURL command, making it a local, user‑dependent threat rather than a remote capability.

Generated by OpenCVE AI on April 20, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 139 or later, or to a patched ESR release such as 115.24 or 128.11.
  • Update Mozilla Thunderbird to version 139 or later, or to a patched ESR release such as 128.11.
  • Continuously monitor Mozilla security advisories to ensure any future patches are applied promptly.

Generated by OpenCVE AI on April 20, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16339 Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

Thu, 30 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Potential local code execution in “Copy as cURL” command Potential local code execution in “Copy as cURL” command

Wed, 11 Jun 2025 12:15:00 +0000

Type Values Removed Values Added
Description Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, and Firefox ESR < 128.11. Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11.
References

Thu, 05 Jun 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Thu, 29 May 2025 19:30:00 +0000

Type Values Removed Values Added
Title firefox: Potential local code execution in “Copy as cURL” command firefox: thunderbird: Potential local code execution in “Copy as cURL” command

Wed, 28 May 2025 14:45:00 +0000

Type Values Removed Values Added
Title firefox: Potential local code execution in “Copy as cURL” command
Weaknesses CWE-116
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 27 May 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 May 2025 12:45:00 +0000

Type Values Removed Values Added
Description Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, and Firefox ESR < 128.11.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:00.476Z

Reserved: 2025-05-27T12:29:23.953Z

Link: CVE-2025-5265

cve-icon Vulnrichment

Updated: 2025-05-27T15:10:05.453Z

cve-icon NVD

Status : Modified

Published: 2025-05-27T13:15:22.303

Modified: 2026-04-13T15:17:04.010

Link: CVE-2025-5265

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-05-27T12:29:24Z

Links: CVE-2025-5265 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')