ISN 2025-20: Critical Firefox ESR Vulnerabilities
First published 3 June 2025
CVSS 3.1: 9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Security vulnerabilities have been discovered in Firefox ESR, a web browser used in IGEL OS. This affects the following product versions:
IGEL OS 12
IGEL OS 11
Details
Three critical issues affect Firefox ESR: CVE-2025-4918 is an out-of-bounds read or write on a JavaScript Promise object. CVE-2025-4919 can enable an out-of-bounds read or write on a JavaScript object by confusing array index sizes. Finally, a double-free can occur in the libvpx encoder used for WebRTC (MFSA-TMP-2025-0001). These vulnerabilities can allow a remote attacker to crash the application, execute code or read data.
Update Instructions
OS 12: Update to the OS 12 Firefox ESR app version 128.11 or newer when available from the IGEL App Portal.
OS 11: Update to 11.10.310 when available (planned for 4 June).
References
Mozilla Foundation Security Advisory 2025-44: https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/
Mozilla Foundation Security Advisory 2025-37: https://www.mozilla.org/en-US/security/advisories/mfsa2025-37/