CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-0237: The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the...

Description

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.

Classification

CVE ID: CVE-2025-0237

Affected Products

Vendor: Mozilla

Product: Firefox

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.83% (scored less or equal to compared to others)

EPSS Date: 2025-02-05 (when was this score calculated)

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1915257
https://www.mozilla.org/security/advisories/mfsa2025-01/
https://www.mozilla.org/security/advisories/mfsa2025-02/

Timeline

2025-01-08 00:30:39 UTC
CVE

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the...