CVE-2025-11713 – This vulnerability in Firefox and Thunderbird's... (How to Fix)

Q: How do I fix CVE-2025-11713?

1. Open Firefox/Thunderbird. 2. Click menu > Help > About Firefox/Thunderbird. 3. Allow automatic update or download latest version from mozilla.org. 4. Restart browser/email client.

Q: What is the severity of CVE-2025-11713?

CVE-2025-11713 has a CVSS score of 8.1 (HIGH). This vulnerability in Firefox and Thunderbird's 'Copy as cURL' feature allows insufficient escaping on Windows systems, potentially tricking users into executing malicious code. Attackers could craft malicious web content that, when copied as a cURL command, executes arbitrary commands on the victim's Windows machine. This affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4 on Windows only.

📋 TL;DR

This vulnerability in Firefox and Thunderbird's 'Copy as cURL' feature allows insufficient escaping on Windows systems, potentially tricking users into executing malicious code. Attackers could craft malicious web content that, when copied as a cURL command, executes arbitrary commands on the victim's Windows machine. This affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4 on Windows only.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, Thunderbird < 140.4

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows operating systems; Linux and macOS are not vulnerable. Requires user interaction (copying and executing a malicious cURL command).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with user privileges, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Limited code execution in user context, potentially stealing credentials, installing malware, or accessing local files.

🟢

If Mitigated

No impact if systems are patched or users avoid copying untrusted cURL commands from suspicious sources.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires social engineering to trick users into copying and executing malicious cURL commands. No authentication needed, but user interaction is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 144+, Firefox ESR 140.4+, Thunderbird 144+, Thunderbird 140.4+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-81/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu > Help > About Firefox/Thunderbird. 3. Allow automatic update or download latest version from mozilla.org. 4. Restart browser/email client.

🔧 Temporary Workarounds

Disable 'Copy as cURL' feature

windows

Remove or disable the 'Copy as cURL' context menu option via browser settings or extensions.

User awareness training

all

Educate users to avoid copying and executing cURL commands from untrusted websites or emails.

🧯 If You Can't Patch

Switch to non-Windows operating systems (Linux/macOS) where this vulnerability does not exist.
Use alternative browsers/email clients that are not affected by this specific vulnerability.

🔍 How to Verify

Check if Vulnerable:

Check browser/email client version: Firefox/Thunderbird < 144 or ESR < 140.4 on Windows indicates vulnerability.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is Firefox 144+, Firefox ESR 140.4+, Thunderbird 144+, or Thunderbird 140.4+.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution events in Windows Event Logs (Security/System)
Browser/email client crash reports related to cURL feature

Network Indicators:

Suspicious cURL commands in proxy logs with unexpected parameters or shell metacharacters

SIEM Query:

EventID=4688 AND CommandLine LIKE '%curl%' AND (ParentImage LIKE '%firefox%' OR ParentImage LIKE '%thunderbird%')

📊 Metadata

CVE ID: CVE-2025-11713

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-116

EPSS Score: 0.06% exploit probability (17.8th percentile)

Published: October 14, 2025

Last Updated: November 14, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1986142 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-81/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-83/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-84/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-85/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11713, you might also want to check these: