{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4084", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-04-29T13:13:37.330Z", "datePublished": "2025-04-29T13:13:38.073Z", "dateUpdated": "2026-04-13T14:27:19.237Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "115.23", "lessThanOrEqual": "115.*", "versionType": "rpm"}, {"status": "unaffected", "version": "128.10", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.10", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Due to insufficient escaping of the special characters in the \"copy as cURL\" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.\n*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Due to insufficient escaping of the special characters in the \"copy as cURL\" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.<br>*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10."}]}], "title": "Potential local code execution in \"copy as cURL\" command", "references": [{"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1949994%2C1956698%2C1960198"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"}], "credits": [{"lang": "en", "value": "Ameen Basha M K"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:19.237Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-4084", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-30T03:56:30.292026Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:27:55.852Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:58:50.272Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:58:50.272Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-4084", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-30T03:56:30.292026Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T15:34:00.301Z"}}], "cna": {"title": "Potential local code execution in \"copy as cURL\" command", "credits": [{"lang": "en", "value": "Ameen Basha M K"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "115.23", "versionType": "rpm", "lessThanOrEqual": "115.*"}, {"status": "unaffected", "version": "128.10", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.10", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1949994%2C1956698%2C1960198"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"}], "descriptions": [{"lang": "en", "value": "Due to insufficient escaping of the special characters in the \"copy as cURL\" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.\n*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10.", "supportingMedia": [{"type": "text/html", "value": "Due to insufficient escaping of the special characters in the \"copy as cURL\" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.<br>*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:19.237Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4084", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:27:19.237Z", "dateReserved": "2025-04-29T13:13:37.330Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-04-29T13:13:38.073Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "C120A37E-1333-4278-9527-4F370BC78EA8", "versionEndExcluding": "115.23", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "78457AB7-7F72-41FA-99F5-EE6D2B2AC9F9", "versionEndExcluding": "128.10", "versionStartIncluding": "128.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "DC19822B-CC07-4C6F-BAAD-C7A9C4E73FA9", "versionEndExcluding": "128.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to insufficient escaping of the special characters in the \"copy as cURL\" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.\n*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox ESR 128.10, Firefox ESR 115.23, and Thunderbird 128.10."}, {"lang": "es", "value": "Debido a la insuficiente capacidad de escape de los caracteres especiales en la funci\u00f3n \"copiar como cURL\", un atacante podr\u00eda enga\u00f1ar a un usuario para que use este comando, lo que podr\u00eda provocar la ejecuci\u00f3n de c\u00f3digo local en su sistema. *Este error solo afecta a Firefox para Windows. Las dem\u00e1s versiones de Firefox no se ven afectadas.* Esta vulnerabilidad afecta a Firefox ESR &lt; 128.10, Firefox ESR &lt; 115.23 y Thunderbird ESR &lt; 128.10."}], "id": "CVE-2025-4084", "lastModified": "2026-04-13T15:16:59.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-29T14:15:35.097", "references": [{"source": "security@mozilla.org", "tags": ["Broken Link"], "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1949994%2C1956698%2C1960198"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-30/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: thunderbird: Potential local code execution in \"copy as cURL\" command", "id": "2362911", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362911"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-138", "details": ["Due to insufficient escaping of the special characters in the \"copy as cURL\" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.\n*This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox ESR < 128.10, Firefox ESR < 115.23, and Thunderbird < 128.10.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: Due to insufficient escaping of the special characters in the \"copy as cURL\" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This bug only affects Firefox for Windows. Other versions of Firefox are unaffected."], "name": "CVE-2025-4084", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-29T13:13:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-4084\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-4084\nhttps://bugzilla.mozilla.org/buglist.cgi?bug_id=1949994%2C1956698%2C1960198\nhttps://www.mozilla.org/security/advisories/mfsa2025-29/\nhttps://www.mozilla.org/security/advisories/mfsa2025-30/\nhttps://www.mozilla.org/security/advisories/mfsa2025-32/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-21T21:04:51.394618+00:00", "value": {"mitigation_remediation": ["Upgrade Mozilla Firefox ESR on Windows to version 115.23 or later, ensuring the \"copy as cURL\" command is properly escaped.", "Upgrade Mozilla Thunderbird ESR to version 128.10 or later to remove the vulnerable code path.", "For environments unable to upgrade immediately, restrict or disable the \"copy as cURL\" feature and educate users to avoid copying commands from untrusted sources."], "summary": {"action": "Immediate Patch", "impact": "Local Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability was identified only in Mozilla Firefox for Windows, affecting all ESR releases prior to 115.23 and prior to 128.10. It is also present in Mozilla Thunderbird ESR versions prior to 128.10.", "description_and_impact": "The bug originates from insufficient escaping of special characters in the \"copy as cURL\" feature, which allows an attacker to inject shell code when a user copies a generated cURL command. The result is the execution of arbitrary commands on the victim\u2019s machine, providing the attacker with the privileges of the user. The weakness aligns with CWE\u2011116 (Improper Encoding of Quotations and Escape Characters) and CWE\u2011138 (Improper Validation of Interpreted Characters).", "risk_and_exploitability": "The CVSS score of 5.7 classifies the issue as moderate; the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a victim to be tricked into using a maliciously crafted \"copy as cURL\" command; the attack vector is therefore largely user\u2011interactive and local. Should exploitation succeed, it would enable the attacker to execute code with the current user\u2019s permissions, potentially leading to full system compromise if user privileges are high."}}}}, "created": "2026-04-21T21:15:45.445518+00:00", "updated": "2026-04-21T21:15:45.445527+00:00", "vendors": []}