CVE-2025-4084 is a vulnerability identified in the "copy as cURL" command feature of Mozilla Firefox ESR and Thunderbird on Windows platforms. The root cause is insufficient escaping of special characters when generating the cURL command string. This flaw allows an attacker to craft malicious input that, when a user copies a request as a cURL command and executes it in a Windows command shell, can lead to arbitrary local code execution. The vulnerability specifically affects Firefox ESR versions prior to 128.10 and Thunderbird versions prior to 128.10 on Windows; other Firefox versions and platforms are unaffected. The vulnerability is classified under CWE-116, indicating improper encoding or escaping of output data. Exploitation requires the attacker to convince the user to perform the "copy as cURL" action on a maliciously crafted request and then execute the resulting command, implying user interaction and local privileges are necessary. The CVSS v3.1 base score is 5.7 (medium severity), reflecting network attack vector with low complexity, requiring privileges and user interaction, and impacting confidentiality but not integrity or availability. No public exploits have been reported yet. Since the vulnerability involves local code execution via command injection in a user-invoked feature, it poses a risk primarily to users who frequently use the "copy as cURL" functionality in Firefox ESR or Thunderbird on Windows.

The primary impact of CVE-2025-4084 is the potential for local code execution on Windows systems running vulnerable versions of Firefox ESR or Thunderbird. Successful exploitation could allow attackers to execute arbitrary commands with the privileges of the user running the browser, potentially leading to data theft, installation of malware, or further system compromise. Since exploitation requires user interaction and local privileges, remote exploitation is unlikely without social engineering. However, in environments where users regularly use the "copy as cURL" feature, such as developers or security analysts, this vulnerability could be leveraged to execute malicious payloads. Organizations relying on Firefox ESR or Thunderbird on Windows, especially in sensitive or high-security environments, could face confidentiality breaches or lateral movement risks if exploited. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed. The impact is limited to Windows platforms and specific product versions, reducing the overall scope but still significant for affected users.

To mitigate CVE-2025-4084, organizations and users should promptly update Firefox ESR and Thunderbird to versions 128.10 or later where the vulnerability is fixed. Until patches are available or applied, users should avoid using the "copy as cURL" feature on untrusted or suspicious web requests. Security teams should educate users about the risks of executing copied commands from browsers, emphasizing caution with command-line operations derived from browser features. Implement application whitelisting or endpoint protection solutions that can detect or block suspicious command executions originating from browsers. Additionally, restricting user privileges to the minimum necessary can limit the impact of any local code execution. Monitoring for unusual command-line activity related to cURL or browser processes can help detect exploitation attempts. Finally, organizations should track Mozilla security advisories for updates or patches addressing this vulnerability.