CVE-2025-11713 Overview
CVE-2025-11713 is a command injection vulnerability affecting Mozilla Firefox and Thunderbird on Windows systems. The vulnerability stems from insufficient escaping in the "Copy as cURL" feature within the browser's developer tools. When a user copies a network request as a cURL command and pastes it into a Windows command prompt or PowerShell, specially crafted request data could execute arbitrary code on the user's system.
Critical Impact
Attackers could trick users into executing malicious commands on Windows systems by exploiting improper character escaping in copied cURL commands, potentially leading to full system compromise.
Affected Products
- Mozilla Firefox versions prior to 144
- Mozilla Firefox ESR versions prior to 140.4
- Mozilla Thunderbird versions prior to 144
- Mozilla Thunderbird ESR versions prior to 140.4
Discovery Timeline
- October 14, 2025 - CVE-2025-11713 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2025-11713
Vulnerability Analysis
This vulnerability (CWE-116: Improper Encoding or Escaping of Output) occurs in the "Copy as cURL" functionality found in the Network tab of Firefox and Thunderbird's Developer Tools. When users right-click on a network request and select "Copy as cURL," the browser generates a command-line string that can be pasted into a terminal to replay the HTTP request.
The flaw specifically affects Windows systems due to differences in shell metacharacter handling between Windows command interpreters and Unix-like shells. Windows uses different escape sequences and special characters compared to Linux or macOS, and the vulnerability arises when the browser fails to properly escape these Windows-specific metacharacters in request headers, URLs, or POST data.
An attacker could craft a malicious web page with specially formatted HTTP request data containing embedded command injection payloads. When a developer or security researcher copies such a request as cURL and executes it in a Windows terminal, the injected commands would execute with the user's privileges.
Root Cause
The root cause is improper output encoding when generating cURL command strings for Windows environments. The escaping logic did not adequately account for Windows command shell metacharacters such as ^, &, |, %, and others that have special meaning in cmd.exe or PowerShell. This allowed malicious input embedded in HTTP request parameters to break out of the intended cURL command context and execute arbitrary commands.
Attack Vector
The attack requires social engineering to be successful. An attacker must:
- Create a malicious website that generates HTTP requests with specially crafted headers or parameters containing command injection payloads
- Convince a victim (likely a developer or security professional) to inspect the network traffic using Developer Tools
- Persuade the victim to copy the request as cURL and execute it in a Windows command prompt
The vulnerability exploits the trust users place in the "Copy as cURL" feature, assuming the generated command is safe to execute. Since this feature is primarily used by developers and security researchers for debugging and testing, the target audience is often technically sophisticated users who may be less suspicious of executing copied commands.
Detection Methods for CVE-2025-11713
Indicators of Compromise
- Unusual curl.exe process executions with suspicious command-line arguments containing shell metacharacters
- PowerShell or cmd.exe processes spawned as child processes of curl.exe unexpectedly
- Network requests from Firefox or Thunderbird containing unusual characters in headers or parameters such as &, |, or ^
- Evidence of command execution immediately following cURL command execution from clipboard operations
Detection Strategies
- Monitor process creation events for curl.exe with command-line arguments containing Windows shell escape sequences
- Implement endpoint detection rules for suspicious process chains involving browser → clipboard → terminal → curl execution patterns
- Alert on cURL executions that spawn unexpected child processes or make unusual system calls
- Deploy behavioral analysis to detect command injection patterns in terminal inputs
Monitoring Recommendations
- Enable command-line logging on Windows systems to capture full arguments passed to cmd.exe and PowerShell
- Implement SentinelOne's process monitoring to detect anomalous curl executions and their spawned processes
- Review browser logs and network traffic for requests containing potentially malicious escape sequences
- Establish baseline behavior for developer workstations to identify deviations in command execution patterns
How to Mitigate CVE-2025-11713
Immediate Actions Required
- Update Mozilla Firefox to version 144 or later immediately
- Update Mozilla Firefox ESR to version 140.4 or later
- Update Mozilla Thunderbird to version 144 or later
- Update Mozilla Thunderbird ESR to version 140.4 or later
- Advise users to exercise caution when copying and executing cURL commands from Developer Tools on Windows
Patch Information
Mozilla has released security patches addressing this vulnerability in the following versions:
- Firefox 144 - Full fix for standard release channel
- Firefox ESR 140.4 - Fix for Extended Support Release
- Thunderbird 144 - Full fix for standard release
- Thunderbird 140.4 - Fix for ESR channel
For detailed patch information, refer to Mozilla Security Advisory MFSA-2025-81, MFSA-2025-83, MFSA-2025-84, and MFSA-2025-85. Technical details can be found in Mozilla Bug Report #1986142.
Workarounds
- Avoid using the "Copy as cURL" feature on Windows systems until patched versions are deployed
- If cURL commands must be copied, manually inspect the command for suspicious characters before execution
- Use a Unix-like environment (WSL, Git Bash) instead of native Windows command prompt when executing copied cURL commands
- Consider using browser extensions or alternative tools for network request analysis that properly escape Windows metacharacters
# Verify Firefox version to ensure patched
firefox --version
# Expected output: Mozilla Firefox 144.0 or higher
# Verify Thunderbird version
thunderbird --version
# Expected output: Thunderbird 144.0 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
