ISN 2025-20: Critical Firefox ESR Vulnerabilities

First published 3 June 2025

CVSS 3.1: 9.8 (Critical)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Security vulnerabilities have been discovered in Firefox ESR, a web browser used in IGEL OS. This affects the following product versions:

• IGEL OS 12

• IGEL OS 11

Details

Three critical issues affect Firefox ESR: CVE-2025-4918 is an out-of-bounds read or write on a JavaScript Promise object. CVE-2025-4919 can enable an out-of-bounds read or write on a JavaScript object by confusing array index sizes. Finally, a double-free can occur in the libvpx encoder used for WebRTC (MFSA-TMP-2025-0001). These vulnerabilities can allow a remote attacker to crash the application, execute code or read data.

Update Instructions

• OS 12: Update to the OS 12 Firefox ESR app version 128.11 or newer when available from the IGEL App Portal.

• OS 11: Update to 11.10.310 when available (planned for 4 June).

References

• Mozilla Foundation Security Advisory 2025-44: https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/

• Mozilla Foundation Security Advisory 2025-37: https://www.mozilla.org/en-US/security/advisories/mfsa2025-37/