The Digital Security Authority (DSA) wants to bring to your attention a vulnerability affecting Firefox sandbox.

Technical Details

A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in the IPC code. This only affects Firefox on Windows. Other operating systems are unaffected.

Affected Products:

This vulnerability affects:

• Firefox < 136.0.4
• Firefox ESR < 128.8.1
• Firefox ESR < 115.21.1

Fixed Versions: 

• Firefox 136.0.4
• Firefox ESR 115.21.1
• Firefox ESR 128.8.1

Recommendations

The Digital Security Authority recommends updating Firefox to the version 136.0.4  and Firefox ESR to versions 115.21.1 or 128.8.1 to ensure their devices are protected.

References

1.  Common Vulnerabilities & Exposures
2.  Mozilla Foundation Security Advisory

The information presented in this report is based on available data up to the 31st of March 2025.

 [ Get the report  in .PDF ]