First published: Thu Mar 27 2025(Updated: )
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. *This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1.
Credit: security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Firefox | <136.0.4 | 136.0.4 |
Firefox ESR | <115.21.1 | 115.21.1 |
Firefox ESR | <128.8.1 | 128.8.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-2857 has been classified as a high-severity vulnerability due to its potential for sandbox escape.
You can fix CVE-2025-2857 by updating to the latest version of Firefox or Firefox ESR as specified in the vulnerability details.
CVE-2025-2857 affects Firefox versions up to 136.0.4 and Firefox ESR versions up to 115.21.1 and 128.8.1.
Yes, CVE-2025-2857 can potentially be exploited remotely if a targeted child process is compromised.
CVE-2025-2857 is a sandbox escape vulnerability that allows a compromised child process to gain elevated privileges.