This Red Hat security advisory (RHSA-2025:4752) addresses five vulnerabilities in Mozilla Firefox and Thunderbird: CVE-2025-2817 (privilege escalation in Firefox Updater), CVE-2025-4087 (unsafe attribute access during XPath parsing), CVE-2025-4083 (process isolation bypass using "javascript:" URI links in cross-origin frames), and two memory safety bugs (CVE-2025-4091 and CVE-2025-4093) fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. The advisory provides updated packages for Red Hat Enterprise Linux 9.2 Extended Update Support and related variants. No CVSS scores are provided in the advisory, but Red Hat rates the update as having an important security impact. The advisory references bugzilla entries for each CVE and directs users to apply the update to remediate these vulnerabilities.

The vulnerabilities include privilege escalation, unsafe attribute access, process isolation bypass, and memory safety issues. These could potentially allow an attacker to escalate privileges, bypass security boundaries, or cause memory corruption in affected Firefox and Thunderbird versions. Red Hat rates the overall security impact as important (high severity). There are no known exploits in the wild at the time of the advisory.

Red Hat has released updated Firefox and Thunderbird packages for Red Hat Enterprise Linux 9.2 Extended Update Support that address these vulnerabilities. Users should apply the provided security update as detailed in the Red Hat advisory RHSA-2025:4752 and the linked update instructions (https://access.redhat.com/articles/11258). No additional mitigations are specified or required beyond applying the official update.