CVE-2025-5266: 
Mozilla Firefox vulnerability analysis and mitigation

Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks. This vulnerability, identified as CVE-2025-5266, affects Firefox versions below 139 and Firefox ESR versions below 128.11. The vulnerability was discovered by Jakub Szymsza and was publicly disclosed on May 27, 2025 (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. It is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw specifically involves script elements that generate load and error events when loading cross-origin resources, which can be exploited for cross-origin information leakage through XS-Leaks attacks (NVD).

The vulnerability enables cross-origin information leakage through XS-Leaks attacks, potentially exposing sensitive data to unauthorized actors. The moderate severity rating indicates significant security implications for affected systems (Mozilla Advisory).

Users are advised to update to Firefox version 139 or Firefox ESR version 128.11, which contain patches for this vulnerability. The fix was released on May 27, 2025, as part of a larger security update addressing multiple vulnerabilities (Mozilla Advisory).