CVE-2025-9180 is a vulnerability in the Graphics: Canvas2D component of Mozilla Firefox that enables bypass of the same-origin policy, a critical security control that restricts how documents or scripts loaded from one origin can interact with resources from another origin. This flaw could allow an attacker to circumvent these restrictions, potentially exposing sensitive information or enabling unauthorized actions. The vulnerability was reported by Tom Van Goethem and is tracked under Bug 1979782. It has been fixed in Firefox 142 and corresponding ESR and Thunderbird releases. The CVSS 3.1 base score is 8.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality and integrity. Mozilla’s security advisories MFSA 2025-64 and MFSA 2025-65 confirm the fix and provide additional context on related vulnerabilities fixed simultaneously.

The vulnerability allows bypassing the same-origin policy in the Canvas2D graphics component, which could lead to unauthorized access to data or actions across origins, impacting confidentiality and integrity of user data. There is no reported impact on availability. The CVSS score of 8.1 indicates a high severity threat. No known exploits have been observed in the wild, reducing immediate risk but the potential impact remains significant if exploited.

Mozilla has released official fixes for this vulnerability in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2. Users and administrators should upgrade to these versions or later to remediate the vulnerability. Since this is not a cloud service, remediation depends on applying these updates. Patch status is confirmed by Mozilla advisories MFSA 2025-64 and MFSA 2025-65. No additional mitigation steps are indicated by the vendor advisory.