Mozilla delivered a suite of important security updates across its flagship products, Firefox, Thunderbird, and their iOS browsing apps. These patches address a range of vulnerabilities, some of which carry a high risk if left unaddressed.
Firefox 142
With the release of Firefox 142, Mozilla has fixed several notable issues affecting both security and privacy. Among the most significant is CVE-2025-31421, a critical bug in the handling of JavaScript objects that could allow attackers to execute malicious code on a victim’s computer simply by getting them to visit a compromised or specially crafted website. This kind of vulnerability is a prime target for attackers and is the main reason users should update as soon as possible.
In addition, CVE-2025-31422 addresses an issue where cross-origin resource sharing (CORS) requests could have been improperly handled, potentially leaking sensitive user data across websites. Rounding out the update, CVE-2025-31423 and CVE-2025-31424 fix further vulnerabilities related to memory safety and use-after-free errors, both of which could potentially be exploited for code execution or application crashes.
Mozilla’s commitment to mobile security is also on display with updates to Firefox for iOS and Firefox Focus for iOS, both now at version 142. This release resolves CVE-2025-31427, a bug where private browsing data could persist longer than intended, as well as CVE-2025-31428, which fixes a flaw that could allow unexpected app behavior when handling certain web content.
Firefox ESR for Enterprise Users
For organizations running the Extended Support Release (ESR) versions of Firefox, Mozilla has issued parallel updates: ESR 115.27, 128.14, and 140.2. These updates include the same core fixes as the main Firefox release, patching vulnerabilities such as CVE-2025-31421 and CVE-2025-31423, and also address several memory management bugs unique to the ESR branches. These memory safety issues—while sometimes less headline-grabbing—can still be chained together by determined attackers to compromise system integrity.
Thunderbird Email
Thunderbird’s latest release addresses numerous vulnerabilities that could be triggered by malicious emails. These vulnerabilities could, in a worst-case scenario, allow an attacker to execute code simply by previewing a malicious email. Included in the pathces are vulnerabilities CVE-2025-31425 addressing improper handling of email headers, and CVE-2025-31426 which fixies an attachment validation bug.
Hackers are quick to exploit known flaws once they become public, and browser and email vulnerabilities are among the most frequently targeted.
As always, the best protection is to stay up-to-date. If your organization manages devices or user endpoints, push these updates as soon as possible.
For a full breakdown of these advisories, including technical details and links to individual CVE entries, visit Mozilla’s official security advisories page.
Leave a Reply