CVE-2025-5265 is a vulnerability identified in Mozilla Firefox for Windows, specifically impacting the “Copy as cURL” feature. This feature allows users to copy HTTP requests as cURL command-line instructions for debugging or replication purposes. The vulnerability arises from insufficient escaping of the ampersand (&) character within the generated cURL commands. An attacker can exploit this by crafting a malicious web page or content that tricks a user into copying and executing a manipulated cURL command containing injected shell commands. Because the ampersand is not properly escaped, the shell interprets it as a command separator, enabling execution of arbitrary commands on the local system. This leads to local code execution (CWE-77: Improper Neutralization of Special Elements used in a Command). The flaw affects Firefox versions below 139, Firefox ESR versions below 115.24 and 128.11, and Thunderbird versions below 139 and 128.11, but only on Windows platforms. Exploitation requires the user to manually copy and run the malicious cURL command, meaning user interaction is necessary. The vulnerability has a CVSS v3.1 base score of 4.8, with attack vector local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), user interaction (UI:R), and impacts on confidentiality, integrity, and availability rated as low. No public exploits are known at this time, and Mozilla has not yet released patches. This vulnerability highlights the risks of command injection via improperly sanitized user-facing features that generate shell commands.

If exploited, this vulnerability could allow an attacker to execute arbitrary code on a victim’s Windows system with the privileges of the user running the cURL command. This could lead to unauthorized access to sensitive data, modification or deletion of files, installation of malware, or further lateral movement within a network. Since exploitation requires user interaction and local execution of the crafted command, the risk is somewhat mitigated compared to remote code execution vulnerabilities. However, targeted phishing or social engineering campaigns could trick users into running malicious commands, especially in environments where developers or IT professionals frequently use the “Copy as cURL” feature for troubleshooting. Organizations relying on affected Firefox or Thunderbird versions on Windows may face increased risk of compromise, data breaches, or system disruption if this vulnerability is exploited. The impact is limited to Windows users of these applications, reducing the overall global scope but still significant for affected environments.

Organizations and users should immediately update Firefox and Thunderbird to versions 139 or later, or ESR versions 115.24/128.11 or later, once patches are available from Mozilla. Until patches are released, users should avoid copying and executing cURL commands from untrusted or unknown sources. Security awareness training should emphasize the risks of running copied commands and encourage verification of command content before execution. IT teams can implement application whitelisting or endpoint protection controls to detect and block suspicious command-line activity involving cURL or shell command injection patterns. Additionally, restricting user privileges to the minimum necessary can limit the impact of any successful exploitation. Monitoring logs for unusual command executions and employing network segmentation can further reduce risk. Developers and security teams should review similar features in other tools to ensure proper escaping and sanitization of shell commands to prevent analogous vulnerabilities.