How to fix CVE-2025-11713?

Within 24 hours: Identify all Windows systems running Firefox <144, Firefox ESR <140.4, Thunderbird <144, or Thunderbird ESR <140.4 using endpoint management tools; issue security alert advising users not to copy network requests as cURL commands. Within 7 days: Deploy Firefox 144+, Firefox ESR 140.4+, Thunderbird 144+, or Thunderbird ESR 140.4+ via automated patching or MDM. Within 30 days: Verify 100% compliance through endpoint scanning and audit user terminal history for suspicious cURL command patterns.

Is Thunderbird affected by CVE-2025-11713?

CVE-2025-11713 affects Firefox and Thunderbird on Windows, enabling remote command execution when users copy network requests via the 'Copy as cURL' feature and paste them into terminal applications.

CVE-2025-11713

Q: Is Thunderbird affected by CVE-2025-11713?

CVE-2025-11713 affects Firefox and Thunderbird on Windows, enabling remote command execution when users copy network requests via the 'Copy as cURL' feature and paste them into terminal applications.

HIGH

2025-10-14 [email protected]

Mozilla Information Disclosure Microsoft Thunderbird Redhat Suse

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 13, 2026 - 15:43 vuln.today

DescriptionNVD

Insufficient escaping in the “Copy as cURL” feature could have been used to trick a user into executing unexpected code on Windows. This did not affect the application when running on other operating systems. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

AnalysisAI

Command injection via Firefox/Thunderbird 'Copy as cURL' feature on Windows allows remote attackers to execute arbitrary commands when users copy network requests as cURL commands and paste them into terminals. Affects Firefox <144, Firefox ESR <140.4, Thunderbird <144, and Thunderbird <140.4 exclusively on Windows platforms. No public exploit identified at time of analysis, but attack vector requires only user interaction (CVSS PR:N/UI:R) with no privileges needed.

Technical ContextAI

This vulnerability stems from CWE-116 (Improper Encoding or Escaping of Output) in Mozilla's developer tools implementation. The 'Copy as cURL' feature generates command-line syntax from network requests captured in browser DevTools. On Windows systems, insufficient escaping of special characters in the generated cURL commands allows injection of arbitrary shell metacharacters. When users paste the copied cURL command into cmd.exe or PowerShell, the unescaped input can break out of the intended command context and execute attacker-controlled code. This is a platform-specific vulnerability due to Windows shell parsing differences compared to Unix shells. The affected products per CPE data are Mozilla Firefox (both standard and ESR channels) and Mozilla Thunderbird across all distribution channels, but exploitation is constrained to Windows operating systems only.

RemediationAI

Vendor-released patches are available for all affected products. Upgrade Firefox to version 144 or later for standard releases, or Firefox ESR to version 140.4 or later for extended support deployments. Upgrade Thunderbird to version 144 or later for standard releases, or Thunderbird 140.4 or later for ESR versions. Updates can be applied through Mozilla's automatic update mechanism or manual download from mozilla.org. For enterprise environments unable to immediately patch, implement temporary mitigation by instructing users to manually review and sanitize any cURL commands copied from DevTools before execution, particularly checking for unexpected shell metacharacters, backticks, pipe symbols, or command separators. Disable or restrict use of developer tools in managed environments where not operationally required. Detailed security advisories with complete remediation guidance available at https://www.mozilla.org/security/advisories/mfsa2025-81/ through mfsa2025-85/.

Vendor StatusVendor

CVE-2025-11713 vulnerability details – vuln.today

Back