CVE-2025-11713 is a vulnerability identified in Mozilla Firefox and Thunderbird products prior to versions Firefox 144 and ESR 140.4. The issue stems from insufficient escaping in the 'Copy as cURL' feature specifically on Windows platforms. This feature allows users to copy network requests as cURL commands for debugging or scripting purposes. Due to improper escaping of command-line arguments, an attacker could craft malicious input that, when copied and executed by a user, leads to execution of arbitrary code on the victim's Windows machine. The vulnerability does not affect Firefox or Thunderbird running on other operating systems such as macOS or Linux. The flaw is categorized under CWE-116 (Improper Encoding or Escaping of Output), which typically leads to injection attacks. The CVSS v3.1 base score is 8.1, reflecting a high severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact includes potential compromise of confidentiality and integrity of the affected system, as arbitrary code execution could allow data theft or system manipulation. No public exploits have been reported yet, but the vulnerability is published and known. The lack of patches at the time of reporting means users must be cautious and monitor for updates from Mozilla. This vulnerability highlights the risk of features that generate executable commands without proper sanitization, especially on Windows where command-line injection is a common attack vector.

The vulnerability allows an attacker to trick users into executing arbitrary code on Windows systems via the 'Copy as cURL' feature. This can lead to unauthorized access to sensitive information, data manipulation, or further system compromise. Since Firefox and Thunderbird are widely used browsers and email clients, the potential impact is significant, especially in environments where users might copy and execute cURL commands for debugging or automation. The attack requires user interaction, which limits automated exploitation but does not eliminate risk, particularly in targeted phishing or social engineering campaigns. Organizations relying on these products on Windows platforms face risks to confidentiality and integrity of their systems and data. The vulnerability does not affect availability directly but could be leveraged as part of broader attacks. The absence of known exploits reduces immediate risk but the public disclosure increases the likelihood of future exploitation attempts. Enterprises with Windows-based endpoints running vulnerable versions should consider this a high-priority issue.

1. Upgrade Mozilla Firefox to version 144 or later, and Thunderbird to version 140.4 or later as soon as patches are released. 2. Until patches are available, advise users to avoid using the 'Copy as cURL' feature on Windows or to carefully inspect any copied commands before execution. 3. Implement endpoint protection solutions that can detect and block suspicious command-line executions or scripts. 4. Educate users about the risks of executing commands copied from untrusted sources, emphasizing caution with cURL commands. 5. Monitor network and endpoint logs for unusual command execution patterns that may indicate exploitation attempts. 6. Employ application whitelisting to restrict execution of unauthorized scripts or commands. 7. Maintain up-to-date threat intelligence feeds to stay informed about any emerging exploits targeting this vulnerability. 8. Consider disabling or restricting the use of developer features like 'Copy as cURL' in managed environments until fully patched.