Mozilla has released Firefox 145 on November 11, 2025, along with updates for Extended Support Release versions ESR 140.5 and ESR 115.30, to address 16 security vulnerabilities, several of which are rated high-impact and could enable remote code execution without user interaction beyond normal browsing.
These flaws, detailed in Mozilla Foundation Security Advisory (MFSA) 2025-87, primarily affect the browser’s graphics processing, JavaScript engine, and DOM components, posing risks of arbitrary code execution and sandbox escapes that could compromise user systems.
The update also patches similar issues in Thunderbird 145, emphasizing the urgency for users across personal and enterprise environments to apply the fixes promptly.
Key Vulnerabilities Addressed
Among the patched issues, CVE-2025-13027 stands out as a cluster of memory safety bugs discovered by Mozilla’s Fuzzing Team in Firefox 144 and Thunderbird 144, showing evidence of memory corruption that could be exploited for arbitrary code execution with sufficient attacker effort.
High-severity flaws like CVE-2025-13023 and CVE-2025-13026 involve sandbox escapes in the Graphics and WebGPU components, allowing malicious code to escape Firefox’s isolation mechanisms and access underlying system resources during web content rendering.
Additional critical vulnerabilities include use-after-free errors in the Audio/Video (CVE-2025-13020) and WebRTC components (CVE-2025-13014), as well as race conditions in Graphics (CVE-2025-13012) and incorrect boundary conditions in JavaScript WebAssembly (CVE-2025-13021, CVE-2025-13022, CVE-2025-13025), all potentially leading to out-of-bounds reads, writes, or crashes exploitable for code injection via compromised websites or phishing attacks.
Same-origin policy bypasses in DOM Workers (CVE-2025-13019) and Core/HTML (CVE-2025-13013) further enable data theft or code injection across browser windows.
At the same time, a spoofing issue (CVE-2025-13015) rounds out the lower-severity risks. No in-the-wild exploitation has been reported, but the potential for drive-by downloads makes these flaws a prime target for threat actors.
Urgency For Updates and Broader Implications
Mozilla classifies high-impact vulnerabilities as those allowing attackers to run code and install malware with minimal user action, underscoring the need for immediate updates to Firefox 145, ESR 140.5, or ESR 115.30 via automatic mechanisms or direct download from mozilla.org.
Enterprises relying on ESR for stability should prioritize patching, as unaddressed systems face elevated risks from supply chain attacks or zero-day exploits.
Beyond security, Firefox 145 introduces privacy enhancements, such as improved anti-fingerprinting in Private Browsing and Strict Enhanced Tracking Protection modes, reducing the number of users tracked by half, though these are initially opt-in.
This release aligns with Mozilla’s ongoing commitment to proactive fuzzing and rapid response. However, users must enable auto-updates to maintain protection against evolving threats in the browser ecosystem.
Overall, the patches mitigate serious risks without confirmed active abuse, yet vigilance remains essential for cybersecurity hygiene.
