CVE-2025-5264 is a vulnerability identified in Mozilla Firefox and Thunderbird products prior to versions Firefox 139, Firefox ESR 115.24 and 128.11, and Thunderbird 139 and 128.11. The flaw arises from insufficient escaping of newline characters in the “Copy as cURL” feature. This feature allows users to copy HTTP request data as a cURL command for use in command-line interfaces. Due to improper sanitization, an attacker can craft malicious input that, when a user invokes the “Copy as cURL” command and subsequently executes the copied command, could lead to local code execution on the victim’s machine. The vulnerability is categorized under CWE-77, which relates to improper neutralization of special elements used in a command ('Command Injection'). The CVSS v3.1 base score is 4.8 (medium severity), with vector AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L, indicating that exploitation requires local access, low attack complexity, low privileges, and user interaction. The impact includes potential confidentiality, integrity, and availability compromises on the local system, but exploitation requires tricking a user into executing the maliciously crafted cURL command. No known exploits in the wild have been reported as of the publication date. The vulnerability affects a widely used browser and email client, making it relevant for a broad user base.

For European organizations, this vulnerability poses a moderate risk primarily in environments where users frequently utilize the “Copy as cURL” feature for debugging or development purposes. If exploited, attackers could execute arbitrary commands locally, potentially leading to data leakage, unauthorized system modifications, or disruption of services on affected endpoints. This could be particularly impactful in sectors with sensitive data, such as finance, healthcare, and government, where local compromise might facilitate lateral movement or data exfiltration. However, the requirement for local access and user interaction limits remote exploitation, reducing the risk of large-scale automated attacks. Nonetheless, targeted phishing or social engineering campaigns could leverage this vulnerability to compromise high-value targets within European enterprises. The vulnerability also affects Thunderbird, which is used in some organizations for email communication, potentially exposing email client users to similar risks.

Organizations should prioritize updating Mozilla Firefox and Thunderbird to versions 139 or later (or the specified ESR versions) as soon as patches become available. Until patches are released, users should be advised to avoid using the “Copy as cURL” feature, especially with untrusted or suspicious web content. Security teams should educate users about the risks of executing copied commands from unverified sources. Endpoint protection solutions should be configured to monitor and alert on unusual command-line activities that could indicate exploitation attempts. Additionally, implementing application whitelisting and restricting execution of unauthorized scripts can reduce the risk of local code execution. Network segmentation and least privilege principles should be enforced to limit the impact of any local compromise. Regular vulnerability scanning and patch management processes should include tracking updates for Mozilla products to ensure timely remediation.