CVE-2025-2857: 
NixOS vulnerability analysis and mitigation

CVE-2025-2857 is a critical security vulnerability discovered in Mozilla Firefox's IPC (inter-process communication) code following the identification of a similar Chrome sandbox escape vulnerability (CVE-2025-2783). The vulnerability affects Firefox and Firefox ESR on Windows systems, where a compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape. The flaw was discovered on March 27, 2025, and affects Firefox versions < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1 (Mozilla Advisory).

The vulnerability is specifically related to incorrect handle management in Firefox's IPC code implementation on Windows systems. The flaw bears similarities to Chrome's CVE-2025-2783, which was described as a logical error at the intersection of the browser's sandbox and the Windows operating system. The vulnerability has been assigned a CVSS 3.1 Base Score of 10.0 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) by CISA-ADP (NVD).

The vulnerability could allow attackers to escape the browser's sandbox protection, effectively bypassing one of the primary security mechanisms in Firefox. While the impact is severe, it's important to note that this vulnerability only affects Firefox installations on Windows operating systems, with other operating systems remaining unaffected (Mozilla Advisory, Help Net Security).

Mozilla has released security updates to address this vulnerability in Firefox version 136.0.4, Firefox ESR 128.8.1, and Firefox ESR 115.21.1. Additionally, the Tor Project has released an emergency security update (version 14.0.8) for Windows users of the Tor Browser, which is built from a modified version of Firefox ESR (Help Net Security, Hacker News).