CVE-2025-2857: Following the sanbdox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to...
Description
Following the sanbdox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unpriviled child processes leading to a sandbox escape.
The original vulnerability was being exploited in the wild.
*This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1.
Known Exploited
🚨 Marked as known exploited on March 27th, 2025 (3 months ago).
Classification
CVE ID: CVE-2025-2857
CVSS Base Severity: CRITICAL
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Problem Types
Incorrect handle could lead to sandbox escapesAffected Products
Vendor: Mozilla
Product: Firefox, Firefox ESR, Firefox ESR
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.08% (probability of being exploited)
EPSS Percentile: 24.76% (scored less or equal to compared to others)
EPSS Date: 2025-04-25 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-2857https://bugzilla.mozilla.org/show_bug.cgi?id=1956398
https://issues.chromium.org/issues/405143032
https://www.mozilla.org/security/advisories/mfsa2025-19/