Skip to main content
Skip table of contents

ISN 2025-20: Critical Firefox ESR Vulnerabilities

First published 3 June 2025

CVSS 3.1: 9.8 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Security vulnerabilities have been discovered in Firefox ESR, a web browser used in IGEL OS. This affects the following product versions:

  • IGEL OS 12

  • IGEL OS 11

Details

Three critical issues affect Firefox ESR: CVE-2025-4918 is an out-of-bounds read or write on a JavaScript Promise object. CVE-2025-4919 can enable an out-of-bounds read or write on a JavaScript object by confusing array index sizes. Finally, a double-free can occur in the libvpx encoder used for WebRTC (MFSA-TMP-2025-0001). These vulnerabilities can allow a remote attacker to crash the application, execute code or read data.

Update Instructions

  • OS 12: Update to the OS 12 Firefox ESR app version 128.11 or newer when available from the IGEL App Portal.

  • OS 11: Update to 11.10.310 when available (planned for 4 June).

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.