Sandbox Escape Vulnerability in Firefox for Windows
CVE-2025-2857

10CRITICAL

Key Information:

Vendor
Mozilla
Status
Firefox
Firefox Esr
Vendor
CVE Published:
27 March 2025

Badges

🥇 Trended No. 1📈 Trended📈 Score: 9,320👾 Exploit Exists📰 News Worthy

What is CVE-2025-2857?

CVE-2025-2857 is a serious vulnerability identified in the Firefox web browser specifically for Windows operating systems. This flaw pertains to a sandbox escape, where a compromised child process could unintentionally provide the parent process with elevated privileges, allowing attackers to perform unauthorized actions within the system. Given that Firefox is widely used for safe web browsing, this vulnerability poses a significant risk to organizations relying on the browser for daily operations and secure internet access.

Technical Details

This vulnerability involves a defect in the inter-process communication (IPC) code used by Firefox. When properly exploited, the flaw can lead to a situation where the browser's intended security model is bypassed, offering attackers a powerful handle to manipulate the parent process. The vulnerability affects specific versions of Firefox—those below 136.0.4, as well as certain Extended Support Release (ESR) versions—making it critical for users to stay updated with the latest security patches provided by Mozilla.

Potential impact of CVE-2025-2857

  1. Unauthorized System Access: The vulnerability may allow attackers to execute code in the context of the parent process, paving the way for potential full system access and unwanted control over the user’s environment.

  2. Data Leakage: Exploitation of this vulnerability could lead to unauthorized access to sensitive information managed by the browser, including passwords, personal data, and corporate credentials, significantly compromising user privacy and organizational security.

  3. Increased Malware Risks: By facilitating a sandbox escape, the vulnerability could serve as an entry point for further malicious activities, including the installation of ransomware or other forms of malware, thereby jeopardizing the integrity and reliability of affected systems.

Affected Version(s)

Firefox < 136.0.4

Firefox ESR < 128.8.1

Firefox ESR < 115.21.1

News Articles

favicon imageSC Media

Firefox patches flaw similar to exploited Chrome zero-day

The sandbox escape flaw affected Firefox and Chrome browsers on Windows machines.

1 month ago

favicon imageHelp Net Security

Critical Firefox, Tor Browser sandbox escape flaw fixed (CVE-2025-2857) - Help Net Security

There's currently no indication that the Firefox sandbox escape vulnerability (CVE-2025-2857) is under active exploitation.

1 month ago

favicon imageSecurity Affairs

Mozilla fixed critical Firefox vulnerability CVE-2025-2857

Mozilla addressed a critical vulnerability, tracked as CVE-2025-2857, impacting its Firefox browser for Windows.

1 month ago

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1956398
https://issues.chromium.org/issues/405143032
https://www.cve.org/CVERecord?id=CVE-2025-2783

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🥇

    Vulnerability reached the number 1 worldwide trending spot

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrew McCreight
.