CVE-2025-5265 is a medium-severity vulnerability affecting Mozilla Firefox on Windows platforms prior to version 139 and specific Extended Support Release (ESR) versions (Firefox ESR < 115.24 and < 128.11), as well as Thunderbird versions before 139 and 128.11. The vulnerability arises from insufficient escaping of the ampersand character in the “Copy as cURL” feature. This feature allows users to copy network requests as cURL commands for debugging or replication purposes. Due to improper sanitization, an attacker can craft a malicious web page or content that, when a user invokes the “Copy as cURL” command, injects specially crafted input containing ampersands that are not properly escaped. This can lead to command injection, enabling local code execution on the victim’s Windows machine. The attack requires the user to perform the “Copy as cURL” action on the malicious content, meaning user interaction is necessary. Additionally, the attacker needs to have some level of access to trick the user into performing this action, implying a local vector with low complexity but requiring user interaction and some privileges. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating command injection risks. The CVSS v3.1 base score is 4.8, reflecting a medium severity with local attack vector, low attack complexity, low privileges required, and user interaction needed. Confidentiality, integrity, and availability impacts are all rated low to medium since the attacker can execute arbitrary code locally, potentially leading to further compromise. No known exploits are currently reported in the wild, and no patches are linked yet, indicating a need for prompt attention from users and administrators. This vulnerability is specific to Windows versions of Firefox and Thunderbird; other platforms are unaffected.

For European organizations, this vulnerability poses a moderate risk primarily to Windows users running affected versions of Firefox or Thunderbird. Since these applications are widely used for web browsing and email communication, exploitation could lead to local system compromise, enabling attackers to execute arbitrary code, potentially leading to data theft, lateral movement, or persistence within corporate networks. The requirement for user interaction and local access reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, especially in environments where users might be socially engineered or tricked into performing the vulnerable action. The impact on confidentiality could include exposure of sensitive information, while integrity and availability could be compromised if attackers deploy malware or ransomware post-exploitation. Given the prevalence of Firefox and Thunderbird in European enterprises and public sector organizations, especially those emphasizing open-source solutions, the vulnerability could affect critical infrastructure if exploited. However, the medium severity and lack of known exploits suggest that immediate risk is moderate but should not be ignored.

European organizations should implement the following specific mitigation steps: 1) Immediately update Firefox and Thunderbird to versions 139 or later (or ESR versions 115.24 and 128.11 or later) once patches are released by Mozilla. 2) Until patches are available, restrict or monitor the use of the “Copy as cURL” feature, especially in sensitive environments, by educating users about the risks of copying cURL commands from untrusted sources. 3) Employ endpoint protection solutions capable of detecting unusual command execution patterns that might result from exploitation attempts. 4) Use application whitelisting and privilege restrictions to limit the ability of arbitrary code execution resulting from this vulnerability. 5) Conduct targeted user awareness training to reduce the risk of social engineering that could lead users to perform the vulnerable action. 6) Monitor logs and network traffic for suspicious activity related to local command execution or unexpected cURL command usage. 7) Consider deploying Windows Group Policy or other management tools to disable or restrict features that allow command copying or execution if feasible. These measures go beyond generic advice by focusing on controlling the specific feature and user behavior that triggers the vulnerability.