ISN 2025-09: Firefox ESR Vulnerabilities
First published 29 April 2025
CVSS 3.1: 8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Security vulnerabilities have been found in Mozilla Firefox ESR, a web browser used in IGEL OS. This affects the following product versions:
IGEL OS 12
IGEL OS 11
Details
Mozilla reports several highs for Firefox ESR: Use-after-free issues affect the components WebTransportChild (CVE-2025-1931), XSLT (CVE-2025-1009), and Custom Highlight (CVE-2025-1010). WASM i32 return values may be corrupted in JIT on 64-bit CPUs (CVE-2025-1933).
An integer overflow when growing an SkRegion's RunArray (CVE-2024-43097) is rated as critical by Mozilla but re-ranked by IGEL as high.
Apart from that, Mozilla fixed various memory safety bugs (CVE-2025-1016 and CVE-2025-1937).
Update Instructions
OS 12: Update to the Firefox ESR App version 115.22 from the IGEL App Portal.
OS 11: Update OS 11.11.100 when available (planned for August).