Mozilla released Firefox 141 on July 22, 2025, addressing 18 security vulnerabilities ranging from high to low severity levels.
The update includes critical fixes for memory safety bugs, JavaScript engine vulnerabilities and various web security bypasses that could potentially allow arbitrary code execution and data exposure.
Firefox 141 addresses several high-severity vulnerabilities that pose significant security risks to users.
The most critical fixes involve memory safety bugs that were present in previous versions of Firefox and Thunderbird.
These vulnerabilities, tracked as CVE-2025-8044, CVE-2025-8034, CVE-2025-8040, and CVE-2025-8035, showed evidence of memory corruption and could potentially be exploited to run arbitrary code with sufficient effort.
A particularly concerning JavaScript engine vulnerability (CVE-2025-8027) was discovered by researcher Nan Wang, where IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack on 64-bit platforms, while Baseline-JIT read the entire 64 bits, creating a dangerous mismatch.
Additionally, Gary Kwong identified a WebAssembly vulnerability (CVE-2025-8028) affecting ARM64 platforms, where WASM br_table instructions with numerous entries could cause label truncation and incorrect branch address computation.
The Mozilla Fuzzing Team and security researchers Andrew McCreight, Ashley Zebrowski, and Akmat Suleimanov contributed to identifying these critical memory safety issues across multiple Firefox and Thunderbird versions.
CORS Vulnerabilities
Several moderate-severity vulnerabilities addressed in Firefox 141 involve bypasses of important web security mechanisms.
A significant Cross-Origin Resource Sharing (CORS) vulnerability (CVE-2025-8036) was reported by Viktor Bocz, where Firefox cached CORS preflight responses across IP address changes, enabling CORS circumvention through DNS rebinding attacks.
Content Security Policy (CSP) enforcement also received multiple fixes. Tom Schuster discovered that username and password information wasn’t properly stripped from URLs in CSP reports, potentially leaking HTTP Basic Authentication credentials (CVE-2025-8031).
Joe Turki identified another CSP bypass where XSLT document loading failed to correctly propagate the source document, circumventing CSP restrictions (CVE-2025-8032).
Additionally, Laurin Weger found that Firefox ignored paths when validating frame navigations, weakening CSP frame-src enforcement (CVE-2025-8038).
Cookie security was also strengthened with a fix for CVE-2025-8037, reported by Uku Sõrmus, where nameless cookies with equals signs could shadow secure cookies, even when the nameless cookie was set over HTTP.
Android-Specific Fixes
Firefox for Android received targeted security enhancements addressing platform-specific vulnerabilities.
Chris Peterson and Kirtikumar AnandraoRamchandani reported a URL truncation issue (CVE-2025-8041) where the address bar truncated URLs from the end rather than prioritizing the origin display.
Another Android-specific fix addressed sandboxed iframes improperly initiating downloads without the allow-downloads attribute (CVE-2025-8042), discovered by Axel Chong.
The developer tools also received security improvements, with Ameen Basha M K identifying insufficient escaping in the “Copy as cURL” feature that could potentially trick users into executing unexpected code (CVE-2025-8030).
URL handling improvements included fixes for incorrect truncation in Focus (CVE-2025-8043) and persistent search terms in the URL bar (CVE-2025-8039).
Users should immediately update to Firefox 141 to protect against these vulnerabilities, particularly given the high-severity memory safety issues that could enable arbitrary code execution.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
