CVE-2025-2857

CVE-2025-2857 is a sandbox escape vulnerability in Firefox's IPC code, where a compromised child process can trick the parent process into returning an unintentionally powerful handle. This issue affects only Firefox on Windows; other operating systems are unaffected. It was discovered by Firefox developers after identifying a similar pattern to the Chrome sandbox escape in CVE-2025-2783. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-668.

An attacker who first compromises a sandboxed child process can exploit this flaw to escape the sandbox and gain elevated privileges in the parent process, potentially leading to full system compromise. The CVSS vector indicates it is exploitable remotely with low complexity, no privileges or user interaction required, and high impact across confidentiality, integrity, and availability due to the changed scope.

Mozilla's security advisory (MFSA 2025-19) confirms the vulnerability was addressed in Firefox 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1. Security practitioners should prioritize updating affected Windows Firefox installations to these versions or later.

This vulnerability follows the in-the-wild exploitation of the related Chrome CVE-2025-2783, highlighting patterns in browser IPC mechanisms that attackers target for sandbox escapes. Details are available in Mozilla Bugzilla (1956398) and the Chromium issue tracker (405143032).