CVE-2025-2857
First published: Thu Mar 27 2025(Updated: )
Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <136.0.4 | 136.0.4 |
| Firefox ESR | <115.21.1 | 115.21.1 |
| Firefox ESR | <128.8.1 | 128.8.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1956398
- https://issues.chromium.org/issues/405143032
- https://www.mozilla.org/security/advisories/mfsa2025-19/
- https://www.bleepingcomputer.com/news/security/mozilla-warns-windows-users-of-critical-firefox-sandbox-escape-flaw/
- https://www.cve.org/CVERecord?id=CVE-2025-2783
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/
- https://www.theregister.com/2025/03/28/google_kaspersky_mozilla/
Frequently Asked Questions
What is the severity of CVE-2025-2857?
CVE-2025-2857 has been classified as a high-severity vulnerability due to its potential for sandbox escape.
How do I fix CVE-2025-2857?
You can fix CVE-2025-2857 by updating to the latest version of Firefox or Firefox ESR as specified in the vulnerability details.
What versions of Firefox are affected by CVE-2025-2857?
CVE-2025-2857 affects Firefox versions up to 136.0.4 and Firefox ESR versions up to 115.21.1 and 128.8.1.
Can CVE-2025-2857 be exploited remotely?
Yes, CVE-2025-2857 can potentially be exploited remotely if a targeted child process is compromised.
What type of vulnerability is CVE-2025-2857?
CVE-2025-2857 is a sandbox escape vulnerability that allows a compromised child process to gain elevated privileges.
- collector/mitre-cve
- source/MITRE
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2025-2857
- alias/CVE-2025-2783
- alias/CVE-2024-9680
- alias/CVE-2024-49039
- agent/author
- agent/type
- agent/first-publish-date
- agent/description
- agent/softwarecombine
- collector/the-register
- source/The Register
- agent/references
- agent/trending
- collector/epss-latest
- source/FIRST
- agent/source
- agent/epss
- agent/news-ai
- zeroday/true
- exploited/true
- agent/tags
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/event
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/mozilla
- canonical/firefox
- canonical/firefox esr