Security update for mozjs128 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:21170-1 Final 1 1 2025-12-03T20:38:36Z current 2025-12-03T20:38:36Z 2025-12-03T20:38:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mozjs128 This update for mozjs128 fixes the following issues: - Update to version 128.14.0 (bsc#1248162): + CVE-2025-9179: Sandbox escape due to invalid pointer in the Audio/Video: GMP component + CVE-2025-9180: Same-origin policy bypass in the Graphics: Canvas2D component + CVE-2025-9181: Uninitialized memory in the JavaScript Engine component + CVE-2025-9185: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 - Update to version 128.13.0: + CVE-2025-8027: JavaScript engine only wrote partial return value to stack + CVE-2025-8028: Large branch table could lead to truncated instruction + CVE-2025-8029: javascript: URLs executed on object and embed tags + CVE-2025-8030: Potential user-assisted code execution in “Copy as cURL” command + CVE-2025-8031: Incorrect URL stripping in CSP reports + CVE-2025-8032: XSLT documents could bypass CSP + CVE-2025-8033: Incorrect JavaScript state machine for generators + CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 + CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 - Update to version 128.12.0: + CVE-2025-6424: Use-after-free in FontFaceSet + CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID + CVE-2025-6426: No warning when opening executable terminal files on macOS + CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com + CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag - Update to version 128.11.0: + CVE-2025-5283: Double-free in libvpx encoder + CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content + CVE-2025-5264: Potential local code execution in “Copy as cURL” command + CVE-2025-5265: Potential local code execution in “Copy as cURL” command + CVE-2025-5266: Script element events leaked cross-origin resource status + CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details + CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11 + CVE-2025-5269: Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLES-16.0-93 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ Link for SUSE-SU-2025:21170-1 https://lists.suse.com/pipermail/sle-security-updates/2025-December/023500.html E-Mail link for SUSE-SU-2025:21170-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1248162 SUSE Bug 1248162 https://www.suse.com/security/cve/CVE-2025-5263/ SUSE CVE CVE-2025-5263 page https://www.suse.com/security/cve/CVE-2025-5264/ SUSE CVE CVE-2025-5264 page https://www.suse.com/security/cve/CVE-2025-5265/ SUSE CVE CVE-2025-5265 page https://www.suse.com/security/cve/CVE-2025-5266/ SUSE CVE CVE-2025-5266 page https://www.suse.com/security/cve/CVE-2025-5267/ SUSE CVE CVE-2025-5267 page https://www.suse.com/security/cve/CVE-2025-5268/ SUSE CVE CVE-2025-5268 page https://www.suse.com/security/cve/CVE-2025-5269/ SUSE CVE CVE-2025-5269 page https://www.suse.com/security/cve/CVE-2025-5283/ SUSE CVE CVE-2025-5283 page https://www.suse.com/security/cve/CVE-2025-6424/ SUSE CVE CVE-2025-6424 page https://www.suse.com/security/cve/CVE-2025-6425/ SUSE CVE CVE-2025-6425 page https://www.suse.com/security/cve/CVE-2025-6426/ SUSE CVE CVE-2025-6426 page https://www.suse.com/security/cve/CVE-2025-6429/ SUSE CVE CVE-2025-6429 page https://www.suse.com/security/cve/CVE-2025-6430/ SUSE CVE CVE-2025-6430 page https://www.suse.com/security/cve/CVE-2025-8027/ SUSE CVE CVE-2025-8027 page https://www.suse.com/security/cve/CVE-2025-8028/ SUSE CVE CVE-2025-8028 page https://www.suse.com/security/cve/CVE-2025-8029/ SUSE CVE CVE-2025-8029 page https://www.suse.com/security/cve/CVE-2025-8030/ SUSE CVE CVE-2025-8030 page https://www.suse.com/security/cve/CVE-2025-8031/ SUSE CVE CVE-2025-8031 page https://www.suse.com/security/cve/CVE-2025-8032/ SUSE CVE CVE-2025-8032 page https://www.suse.com/security/cve/CVE-2025-8033/ SUSE CVE CVE-2025-8033 page https://www.suse.com/security/cve/CVE-2025-8034/ SUSE CVE CVE-2025-8034 page https://www.suse.com/security/cve/CVE-2025-8035/ SUSE CVE CVE-2025-8035 page https://www.suse.com/security/cve/CVE-2025-9179/ SUSE CVE CVE-2025-9179 page https://www.suse.com/security/cve/CVE-2025-9180/ SUSE CVE CVE-2025-9180 page https://www.suse.com/security/cve/CVE-2025-9181/ SUSE CVE CVE-2025-9181 page https://www.suse.com/security/cve/CVE-2025-9185/ SUSE CVE CVE-2025-9185 page SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP Applications 16.0 libmozjs-128-0-128.14.0-160000.1.1 mozjs128-128.14.0-160000.1.1 mozjs128-devel-128.14.0-160000.1.1 libmozjs-128-0-128.14.0-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 mozjs128-128.14.0-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 mozjs128-devel-128.14.0-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 libmozjs-128-0-128.14.0-160000.1.1 as a component of SUSE Linux Enterprise Server for SAP Applications 16.0 mozjs128-128.14.0-160000.1.1 as a component of SUSE Linux Enterprise Server for SAP Applications 16.0 mozjs128-devel-128.14.0-160000.1.1 as a component of SUSE Linux Enterprise Server for SAP Applications 16.0 Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. CVE-2025-5263 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-5263.html CVE-2025-5263 https://bugzilla.suse.com/1243353 SUSE Bug 1243353 Due to insufficient escaping of the newline character in the "Copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. CVE-2025-5264 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-5264.html CVE-2025-5264 https://bugzilla.suse.com/1243353 SUSE Bug 1243353 Due to insufficient escaping of the ampersand character in the "Copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system. *This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 139, Firefox ESR < 115.24, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. CVE-2025-5265 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-5265.html CVE-2025-5265 https://bugzilla.suse.com/1243353 SUSE Bug 1243353 Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. CVE-2025-5266 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-5266.html CVE-2025-5266 https://bugzilla.suse.com/1243353 SUSE Bug 1243353 A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. CVE-2025-5267 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-5267.html CVE-2025-5267 https://bugzilla.suse.com/1243353 SUSE Bug 1243353 Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 139, Firefox ESR < 128.11, Thunderbird < 139, and Thunderbird < 128.11. CVE-2025-5268 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-5268.html CVE-2025-5268 https://bugzilla.suse.com/1243353 SUSE Bug 1243353 Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.11 and Thunderbird < 128.11. CVE-2025-5269 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-5269.html CVE-2025-5269 https://bugzilla.suse.com/1243353 SUSE Bug 1243353 Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2025-5283 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-5283.html CVE-2025-5283 https://bugzilla.suse.com/1243741 SUSE Bug 1243741 A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6424 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-6424.html CVE-2025-6424 https://bugzilla.suse.com/1244670 SUSE Bug 1244670 An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6425 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-6425.html CVE-2025-6425 https://bugzilla.suse.com/1244670 SUSE Bug 1244670 The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6426 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-6426.html CVE-2025-6426 https://bugzilla.suse.com/1244670 SUSE Bug 1244670 Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6429 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-6429.html CVE-2025-6429 https://bugzilla.suse.com/1244670 SUSE Bug 1244670 When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `&lt;embed&gt;` or `&lt;object&gt;` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. CVE-2025-6430 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-6430.html CVE-2025-6430 https://bugzilla.suse.com/1244670 SUSE Bug 1244670 On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. CVE-2025-8027 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-8027.html CVE-2025-8027 https://bugzilla.suse.com/1246664 SUSE Bug 1246664 On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. CVE-2025-8028 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-8028.html CVE-2025-8028 https://bugzilla.suse.com/1246664 SUSE Bug 1246664 Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. CVE-2025-8029 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-8029.html CVE-2025-8029 https://bugzilla.suse.com/1246664 SUSE Bug 1246664 Insufficient escaping in the "Copy as cURL" feature could potentially be used to trick a user into executing unexpected code. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. CVE-2025-8030 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-8030.html CVE-2025-8030 https://bugzilla.suse.com/1246664 SUSE Bug 1246664 The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. CVE-2025-8031 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-8031.html CVE-2025-8031 https://bugzilla.suse.com/1246664 SUSE Bug 1246664 XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. CVE-2025-8032 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-8032.html CVE-2025-8032 https://bugzilla.suse.com/1246664 SUSE Bug 1246664 The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. CVE-2025-8033 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-8033.html CVE-2025-8033 https://bugzilla.suse.com/1246664 SUSE Bug 1246664 Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. CVE-2025-8034 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-8034.html CVE-2025-8034 https://bugzilla.suse.com/1246664 SUSE Bug 1246664 Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. CVE-2025-8035 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-8035.html CVE-2025-8035 https://bugzilla.suse.com/1246664 SUSE Bug 1246664 An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9179 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-9179.html CVE-2025-9179 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9180 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-9180.html CVE-2025-9180 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9181 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-9181.html CVE-2025-9181 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9185 SUSE Linux Enterprise Server 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server 16.0:mozjs128-devel-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:libmozjs-128-0-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-128.14.0-160000.1.1 SUSE Linux Enterprise Server for SAP Applications 16.0:mozjs128-devel-128.14.0-160000.1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202521170-1/ https://www.suse.com/security/cve/CVE-2025-9185.html CVE-2025-9185 https://bugzilla.suse.com/1248162 SUSE Bug 1248162