A critical use-after-free vulnerability, identified as CVE-2025-12380, exists in multiple Firefox products starting with version 142. This flaw allows a compromised web content process to trigger memory corruption in a higher-privileged process, potentially enabling an attacker to escape the browser's security sandbox and execute arbitrary code on the underlying operating system. Successful exploitation could lead to a full system compromise.

This is a use-after-free (UAF) vulnerability within the Inter-Process Communication (IPC) handling for the WebGPU API. An attacker who has already achieved initial code execution within a sandboxed child process (e.g., a web content process) can craft malicious WebGPU-related IPC messages. When these messages are sent to the main GPU or browser process, they can cause the process to access a memory location that has already been deallocated, leading to memory corruption. A skilled attacker can leverage this memory corruption to gain arbitrary code execution capabilities with the privileges of the parent process, thereby escaping the sandbox and compromising the host system.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high potential for severe business impact. A successful exploit would allow an attacker to bypass the browser's primary security defense—the sandbox—and gain control over the user's workstation. The potential consequences include the theft of sensitive corporate or personal data, deployment of ransomware or other malware, installation of persistent backdoors for long-term access, and using the compromised machine as a pivot point to attack other systems on the internal network. This poses a direct risk of data breaches, financial loss, operational disruption, and significant reputational damage.

Immediate Action: The primary remediation is to apply the vendor-supplied security patches immediately. All users and system administrators should update their Firefox installations to the latest version that addresses this vulnerability. After patching, it is recommended to monitor systems for any signs of post-exploitation activity and review relevant access logs for unusual behavior preceding the patch deployment.

Proactive Monitoring:

• Monitor Endpoint Detection and Response (EDR) solutions for anomalous process creation originating from firefox.exe or its child processes.
• Look for unexpected network connections or outbound traffic from Firefox processes to unknown or malicious IP addresses.
• Analyze system logs for unexpected crashes of the Firefox browser or GPU process, as failed exploitation attempts may cause instability.
• Review DNS logs for queries to suspicious domains that may be associated with exploit kits or command-and-control servers.

Compensating Controls: If immediate patching is not feasible, the following temporary measures can help reduce risk:

• Consider disabling WebGPU in Firefox's advanced configuration (about:config) by setting dom.webgpu.enabled to false. Note that this may affect the functionality of some web applications.
• Ensure that endpoint security solutions, such as antivirus and EDR, are up-to-date and configured to detect and block sandbox escape techniques.
• Enforce the principle of least privilege for user accounts to limit the potential impact of a system compromise.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a significant and immediate threat to the organization. Although there is no evidence of active exploitation at this time, the potential for a complete system compromise necessitates urgent action. We strongly recommend prioritizing the deployment of the vendor-provided patches across all managed endpoints without delay. Organizations should treat this as a critical priority and ensure all instances of affected Firefox products are updated to a secure version to prevent potential exploitation.