Summary : Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components allowing arbitrary code execution.

The Mozilla Firefox advisory details reveal that exploiting these vulnerabilities requires attackers to deliver malicious content via compromised websites or through network attacks. The vulnerability landscape reveals concerning patterns in critical components where WebGPU graphics processing emerges as a significant attack surface, with five separate boundary condition flaws identified.

OEM	Mozilla
Severity	High
Date of Announcement	2025-11-11
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

Vulnerability Name	CVE ID	Product Affected	Severity
Graphics Race Condition Enabling Remote Code Execution	CVE-2025-13012	Firefox	High
WebAssembly Boundary Error RCE	CVE-2025-13016	Firefox	High
WebGPU Boundary Error Leading to Remote Code Execution	CVE-2025-13021	Firefox	High
WebGPU Boundary Error Leading to Remote Code Execution	CVE-2025-13022	Firefox	High
WebGPU Sandbox Escape via Boundary Flaw	CVE-2025-13023	Firefox	High
JavaScript Engine JIT Miscompilation RCE	CVE-2025-13024	Firefox	High
WebGPU Boundary Error Leading to Remote Code Execution	CVE-2025-13025	Firefox	High
WebGPU Sandbox Escape and Code Execution	CVE-2025-13026	Firefox	High
Memory Safety Bugs Allowing Arbitrary Code Execution	CVE-2025-13027	Firefox, Thunderbird	High

Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components.

The patched vulnerabilities include memory safety bugs, boundary errors, race conditions, and sandbox escapes that could allow remote code execution (RCE), privilege escalation or data exposure. Although no active exploitation has been reported. Users and administrators should upgrade immediately to prevent exploitation and maintain browser security integrity. 

Technical Summary 

Memory corruption and sandbox escape issues could allow attackers to run malicious code or bypass.

Firefox’s isolation controls, leading to full system compromise. WebRTC and multimedia use-after-free bugs further increase the risk of crashing or leaking live data.

Though no exploitation has been detected, users and enterprises should update immediately to reduce exposure to emerging browser-based threats. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-13012	Graphics Subsystem	Race condition vulnerability leads to system crash or remote execution.	Remote Code Execution
CVE-2025-13016	JavaScript: WebAssembly	Incorrect memory boundary validation allows code execution through crafted scripts.	Remote Code Execution
CVE-2025-13021	Graphics: WebGPU	Boundary condition errors may cause memory corruption and remote code execution.	Remote Code Execution
CVE-2025-13022	Graphics: WebGPU	Boundary error in WebGPU rendering pipeline allowing memory corruption	Remote Code Execution
CVE-2025-13023	Graphics: WebGPU	Sandbox escape via boundary flaw enabling code execution outside browser process.	Sandbox Escape, RCE
CVE-2025-13024	JavaScript Engine: JIT	JIT miscompilation allows stealthy remote code execution within browser context.	Remote Code Execution
CVE-2025-13025	Graphics: WebGPU	Improper memory boundary control in WebGPU leads to RCE.	Remote Code Execution
CVE-2025-13026	Graphics: WebGPU	Sandbox escape enabling remote code execution beyond browser sandbox.	Sandbox Escape, RCE
CVE-2025-13027	Firefox / Thunderbird	Memory safety errors across multiple components allow arbitrary code execution.	Remote Code Execution

Source: Microsoft, Cybersecurity News 

In addition to several high severity vulnerabilities, the update also addresses several other Medium and Low severity vulnerabilities across browser subsystems – 

• CVE-2025-13017: DOM Notifications Origin Bypass – Same-origin policy bypass may expose user data or notifications to untrusted sites. (Medium) 

• CVE-2025-13018: DOM Security Mitigation Bypass – Allows limited circumvention of built-in browser security controls. (Medium) 

• CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium) 

• CVE-2025-13019: DOM Workers Origin Bypass – May expose cross-origin content or enable script injection. (Medium) 

• CVE-2025-13013: DOM Core/HTML Mitigation Bypass – Allows controlled bypass of HTML sanitization in certain contexts. (Medium) 

• CVE-2025-13014: Audio/Video Use-After-Free – Memory mismanagement issue that could leak multimedia data or crash browser. (Medium)  

• CVE-2025-13015: Firefox UI Spoofing – Interface rendering flaw may allow deceptive UI elements. (Low) 

Recommendations: 

• Update all Firefox to version 145 immediately to mitigate the vulnerabilities.  

Here are some recommendations below  

• Enable automatic browser updates across all systems. 

• Perform vulnerability scans to ensure no outdated browser versions remain. 

• Restrict use of WebGPU or WebAssembly APIs in enterprise environments unless essential. 

• Educate employees about risks from phishing, drive-by downloads and malicious extensions. 

Conclusion: 
The Firefox 145 update is a critical security release addressing sixteen vulnerabilities across graphics, WebGPU, JavaScript engine, DOM, and WebRTC components.

Immediate patching and adherence to strong security hygiene are essential to prevent remote code execution, sandbox escapes, and data leaks. Timely remediation ensures operational continuity and protection of both individual and enterprise users against evolving exploitation techniques targeting browser flaws. 

Improving browsing behavior significantly reduces risk exposure of users. Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a feature increasingly targeted as web apps grow more graphics-intensive.

References: 

• https://cybersecuritynews.com/firefox-145/ 

• https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/