CVE-2025-5263

low-risk

Published 2025-05-27

Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability was fixed in Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

Do I need to act?

0.18% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Firefox

Affected Vendors

Mozilla

References (8)

Permissions Required https://bugzilla.mozilla.org/show_bug.cgi?id=1960745

Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2025-42/

Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2025-43/

Vendor Advisory https://www.mozilla.org/security/advisories/mfsa2025-44/

https://www.mozilla.org/security/advisories/mfsa2025-45/

https://www.mozilla.org/security/advisories/mfsa2025-46/

https://lists.debian.org/debian-lts-announce/2025/05/msg00043.html

https://lists.debian.org/debian-lts-announce/2025/05/msg00046.html

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 7/34 · Low