Mozilla released a security advisory for a security vulnerability impacting its web browser, Firefox. Tracked as CVE-2025-2857, the vulnerability may allow an attacker to escape the web browser’s sandbox on Windows systems.
Mozilla described the vulnerability as an incorrect handle that could lead to sandbox escape. The vulnerability is similar to Chrome zero-day exploited in attacks (CVE-2025-2783) and was patched by Google earlier this week.
The advisory states, “Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape.”
Affected Versions
The vulnerability affects Firefox versions before 136.0.4.
Mitigation
Users must upgrade to the following Firefox, Firefox ESR versions to patch the vulnerability:
- Firefox 136.0.4
- Firefox ESR 115.21.1
- Firefox ESR 128.8.1
For more information, please refer to the Mozilla security advisory.
Qualys Detection
Qualys customers can scan their devices with QID 383001 to detect vulnerable assets.
Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/#CVE-2025-2857
