Critical Vulnerability Information Security Advisory: Mozilla Foundation Security Advisory 2025-53 Release Date: June 24, 2025 Severity: High Product: Firefox ESR Fixed Version: Firefox ESR 128.12 CVE-2025-6424: Use-after-free in FontFaceSet Reporter: LJP and HexRabbit (DEVCOORE Research Team) Severity: High Description: A use-after-free vulnerability in FontFaceSet could lead to exploitable crashes. Reference: Bug 1988423 CVE-2025-6425: WebCompat WebExtension Exposes Persistent UUID Reporter: Rob Wu Severity: Medium Description: Attackers can enumerate resources within the WebCompat extension to obtain a persistent UUID that can identify the browser and persists across containers and normal/private browsing modes, though not across profiles. Reference: Bug 1717872 CVE-2025-6426: No Warning When Opening Executable Terminal Files on macOS Reporter: pwn2car Severity: Medium Description: Firefox does not warn users before opening files with the .terminal extension that are executable. This vulnerability affects only the macOS version of Firefox; other versions are unaffected. Reference: Bug 1964385 CVE-2025-6429: Incorrect URL Parsing May Allow Embedding youtube.com Reporter: Masato Kinugawa Severity: Medium Description: Firefox may incorrectly parse a URL and rewrite it to the youtube.com domain, potentially bypassing site security checks that restrict which domains can be embedded. Reference: Bug 1970659 CVE-2025-6430: Content-Disposition Header Ignored When File is Embedded in or Tags Reporter: Danil Satyae (Positive Technologies) Severity: Medium Description: When a file is specified for download via the Content-Disposition header, the instruction is ignored if the file is embedded within or tags, potentially making websites vulnerable to cross-site scripting attacks. Reference: Bug 1071140