CVE-2025-2857

{"id": "CVE-2025-2857", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2025-03-27T14:15:55.720", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1956398", "tags": ["Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://issues.chromium.org/issues/405143032", "tags": ["Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-2783", "tags": ["Third Party Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-19/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. \nThe original vulnerability was being exploited in the wild. \n*This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1."}, {"lang": "es", "value": "Tras la reciente fuga de la sandbox de Chrome (CVE-2025-2783), varios desarrolladores de Firefox identificaron un patr\u00f3n similar en nuestro c\u00f3digo IPC. Un proceso secundario comprometido pod\u00eda provocar que el proceso principal devolviera un identificador involuntariamente potente, lo que provocaba una fuga de la sandbox. La vulnerabilidad original se estaba explotando in situ. *Esto solo afecta a Firefox en Windows. Otros sistemas operativos no se ven afectados.* Esta vulnerabilidad afecta a Firefox &lt; 136.0.4, Firefox ESR &lt; 128.8.1 y Firefox ESR &lt; 115.21.1."}], "lastModified": "2025-05-01T19:31:14.930", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "8D63728B-F6A1-4AE4-8E2A-06279158154D", "versionEndExcluding": "136.0.4"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "vulnerable": true, "matchCriteriaId": "49918C23-8656-4D5F-B626-1B7ED8E45F8F", "versionEndExcluding": "115.21.1"}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "vulnerable": true, "matchCriteriaId": "D508F954-1ED2-4185-96B1-571172C5897D", "versionEndExcluding": "128.8.1", "versionStartIncluding": "128.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}