CVE-2025-11713

HIGH

Firefox <144, Firefox ESR <140.4, Thunderbird <144, Thunderbird <14...

Title source: llm

Description

Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

References (5)

[Issue Tracking, Permissions Required] https://bugzilla.mozilla.org/show_bug.cgi?id=1986142

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2025-81/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2025-83/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2025-84/

[Vendor Advisory] https://www.mozilla.org/security/advisories/mfsa2025-85/

Scores

CVSS v3 8.1

EPSS 0.0004

EPSS Percentile 11.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-116

Status published

Products (7)

mozilla/firefox < 140.4.0

mozilla/firefox < 144.0

Mozilla/Firefox 140.4 - 140.*

Mozilla/Firefox 144

mozilla/thunderbird < 140.4.0

Mozilla/Thunderbird 140.4 - 140.*

Mozilla/Thunderbird 144

Published Oct 14, 2025

Tracked Since Feb 18, 2026