Mozilla Foundation Security Advisory 2025-19

Security Vulnerability fixed in Firefox 136.0.4, Firefox ESR 128.8.1, Firefox ESR 115.21.1

Announced

March 27, 2025

Impact

critical

Products

Firefox, Firefox ESR

Fixed in

Firefox 136.0.4
Firefox ESR 115.21.1
Firefox ESR 128.8.1

#CVE-2025-2857: Incorrect handle could lead to sandbox escapes

Reporter: Andrew McCreight
Impact: critical

Description

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape.
The original vulnerability was being exploited in the wild.
This only affects Firefox on Windows. Other operating systems are unaffected.

References

Bug 1956398
CVE-2025-2783

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising

Mozilla Builders