Firefox 141 Released with Patches for 18 Vulnerabilities, Including High-Severity RCE Flaws
On July 22, 2025, Mozilla unveiled the Firefox 141 update, a release focused on enhancing browser security. According to security bulletin MFSA 2025-56, the update addresses 18 vulnerabilities, including flaws in the JavaScript engine, WebAssembly implementation, iframe isolation mechanisms, and Content Security Policy (CSP) enforcement.
Two of the vulnerabilities have been rated as high severity. The first, CVE-2025-8027, was discovered in the IonMonkey JIT compiler. On 64-bit platforms, the compiler performed partial writes of return values, leading to stack inconsistencies and potentially enabling arbitrary code execution. The second, CVE-2025-8028, involved WebAssembly on ARM64 devices, where improper handling of large branch tables could result in truncated instructions and disrupted control flow.
Other notable issues resolved include:
- CVE-2025-8042: Enabled downloads from within isolated iframes
- CVE-2025-8036: DNS rebinding attack bypassing CORS protections
- CVE-2025-8029: Execution of
javascript:URLs inside<object>and<embed>tags - CVE-2025-8039: Persistence of search queries in the address bar
Particular attention was also given to three generalized memory safety bugs — CVE-2025-8034, CVE-2025-8035, and CVE-2025-8040 — encompassing multiple memory management errors identified via automated fuzz testing. Several of these may have been exploitable for remote code execution.
This security update is being rolled out across all supported branches of the browser, including the Extended Support Release (ESR) versions: Firefox ESR 115.26, 128.13, and 140.1. Corresponding patches have also been integrated into Thunderbird 141.
Mozilla emphasizes the critical importance of updating promptly, especially on systems running 64-bit or ARM64 architectures. Vulnerabilities tied to memory handling and JIT compilation are considered particularly severe, with potential implications for system compromise.
Firefox 141 is available via the built-in update mechanism, Mozilla’s official website, and distribution channels for Windows, macOS, and Linux.
