Amazon Linux 2 Security Advisory: ALAS2FIREFOX-2025-040
Advisory Released Date: 2025-07-10
Advisory Updated Date: 2025-07-10
FAQs regarding Amazon Linux ALAS/CVE Severity
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12. (CVE-2025-6424)
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12. (CVE-2025-6425)
Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12. (CVE-2025-6429)
When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack. (CVE-2025-6430)
Affected Packages:
firefox
Note:
This advisory is applicable to Amazon Linux 2 - Firefox Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update firefox to update your system.
aarch64:
firefox-128.12.0-1.amzn2.0.1.aarch64
firefox-debuginfo-128.12.0-1.amzn2.0.1.aarch64
src:
firefox-128.12.0-1.amzn2.0.1.src
x86_64:
firefox-128.12.0-1.amzn2.0.1.x86_64
firefox-debuginfo-128.12.0-1.amzn2.0.1.x86_64