Firefox 140 Released with Patch for Code Execution Vulnerabilities – Update Immediately

Firefox 140 on June 24, 2025, addressing 13 security vulnerabilities, including two critical vulnerabilities that could allow attackers to execute arbitrary code on affected systems.

The release comes as part of Mozilla’s ongoing commitment to browser security, with several vulnerabilities affecting both desktop and mobile versions of the popular web browser.

The most severe vulnerability addressed in Firefox 140 is CVE-2025-6424, a use-after-free vulnerability in FontFaceSet that could result in a potentially exploitable crash.

Discovered by security researchers LJP and HexRabbit from the DEVCORE Research Team, this high-impact vulnerability poses significant risks to users as it could potentially allow attackers to execute malicious code on compromised systems.

Alongside this critical vulnerability, Mozilla has also resolved CVE-2025-6436, which encompasses multiple memory safety bugs that were present in Firefox 139 and Thunderbird 139.

According to Mozilla’s security team, including Andrew McCreight, Gabriele Svelto, Beth Rennie, and the Mozilla Fuzzing Team, some of these memory corruption issues showed evidence that could potentially be exploited to run arbitrary code with sufficient effort from attackers.

These critical vulnerabilities underscore the importance of immediate updates, as they represent the most serious category of browser security vulnerabilities that could compromise user systems entirely.

Platform-Specific Vulnerabilities

Firefox 140 addresses several platform-specific security issues that affect particular operating systems.

Android users face multiple unique vulnerabilities, including CVE-2025-6428, where Firefox for Android would incorrectly follow URLs provided in link querystring parameters instead of the intended destination, potentially facilitating phishing attacks.

Additionally, CVE-2025-6431 affects Android users by allowing attackers to bypass the security prompt that normally appears before opening links in external applications.

This bypass could expose users to security vulnerabilities or privacy breaches in third-party applications.

macOS users are not exempt from platform-specific risks, with CVE-2025-6426 addressing a vulnerability where executable terminal files could be opened without proper warnings, potentially allowing malicious software to run without user awareness.

Web Security and Privacy Protections

The remaining vulnerabilities address various web security mechanisms and user privacy protections.

Mozilla strongly recommends that all Firefox users update to version 140 immediately to protect against these vulnerabilities.

CVE-2025-6425 resolves a moderate-impact issue where the WebCompat WebExtension exposed a persistent UUID that could be used to track users across different browsing contexts, though not across profiles.

Several Content Security Policy bypasses were also patched, including CVE-2025-6427, which allowed attackers to circumvent connect-src directives through subdocument manipulation, and CVE-2025-6429, which could incorrectly parse URLs to embed youtube.com content, bypassing domain restrictions.

Other notable fixes include improvements to DNS proxy handling (CVE-2025-6432), WebAuthn security requirements (CVE-2025-6433), and developer tools file saving protections (CVE-2025-6435).

The update can be obtained through Firefox’s automatic update mechanism or by downloading the latest version directly from Mozilla’s website.

Given the severity of the code execution vulnerabilities, delaying this update could leave systems vulnerable to sophisticated attacks.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.