Let take mfsa2025-59, for example CVE-2025-8040, as per the NVD its says Firefox ESR < 140.1 is affected so does that mean it affect all the version which are lower than 140.1 which included the ESR 128 and ESR 115 versions or just the ESR 140 version series?

Hi, this vulnerability has been introduced in Firefox 140 and fixed in Firefox 140.1, so the only affected version is ESR 140.0.x. It didn't exist in 128 and 115.

then it raise on more question check this cve-2025-8029 in NVD it has specifically mentioned it only affect "Firefox ESR < 128.13, Firefox ESR < 140.1" and not the ESR 115 versions. Could anyone confirm it does not affect the ESR 115 versions or it affect all the versions?

It's possible that this affects ESR 115, which hasn't been updated since ESR 128.3.

Update: Sorry, I was wrong about it. ESR 115 is still being updated.

My point is that if any Firefox CVEs are listed in NVD and it specify only one version like “Firefox ESR < 140.1” what does that mean? Does it affect all the versions which include ESR 128 and ESR 115 or just the ESR 140 series version only affected? If any CVEs are affected on the ESR 115 and ESR 128 does Mozilla specifically mentioned those versions are affected right? Just like its mentioned in the cve-2025-8027

In my opinion every channel that is affected and received a fix, should be mentioned.

Hi Thanks for the quick reply.

For this CVE-2025-8040, I believe Mozilla should clearly mentioned if other versions are not affected in NVD. In NVD they have mentioned "Firefox ESR < 140.1" anything less than 140.1 is affected which would mean it affect all the version.

For cve-2025-8029, ESR 115 will be supported till March 2025 I think and also we can see that we are receiving the updated for ESR 115, currently its on 115.28 and as per https://support.mozilla.org/en-US/kb/firefox-users-windows-7-8-and-81-moving-extended-support "Mozilla will provide security updates for Firefox 115 ESR until at least February 2026, at which point the position will be re-evaluated." they could provide the fix after that as well.

Exactly "In my opinion every channel that is affected and received a fix, should be mentioned." they should mention that or if they not planning to fix on any version it should be mentioned as note or something. so it can give clear idea.

Its not just one or three cves, I kind of have thousands of cves for this issue, for those cves where they have mentioned for ESR 115 in their NVD its fine and give a clear sense but most of the count falls under where there is no clear data whether its affected or not. I would assume affected i believe.

If anyone from Mozilla team can confirm that would be great :)

The ESRs are treated like separate products. For example, the current ESRs are 115 and 140. So "Firefox ESR < 140.1" means "Firefox ESR 140 in versions prior to 140.1".

It is a bit clearer in the actual CVE data. See for example https://www.cve.org/CVERecord?id=CVE-2025-10533

This vulnerability affects Firefox < 143, Firefox ESR < 115.28, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.

And then it lists five separate versions for these.

I made a note to try and improve the descriptions.

Hi Simon,

Yes I agree, I do see some more clarity on the cve.org, Thanks for that.

I'll just put some questions. let take an example of this CVE-2025-4091 : https://www.cve.org/CVERecord?id=CVE-2025-4091, its only affected on the Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird < 128.10 and from the description we can see that it was found on the "Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9" hence i believe its not affected on the ESR 115 which is great. It gives clear idea.

CVE-2025-4087: https://www.cve.org/CVERecord?id=CVE-2025-4087, for this one we don't have any version mentioned where it was found hence I would guess this affects ESR 115 and there is no fix for it hence its not mentioned in the description. it only mentioned Firefox ESR < 128.10 hence everyone assume all the below version are affected including the ESR 115

If any CVEs like CVE-2025-4087, where there is no patched version mention for ESR 115 and it does not separately mention if its affected or not on the cve.org or in NVD page then my best guess would be to assume based on the "This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird < 128.10." that it affect the ESR 115 right?

CVE-2025-8029, just got update from Mozilla team through email "CVE-2025-8029, *does* affect Firefox ESR 115 and we were unable to fix this in ESR 115. In my personal opinion, this bug is not severe to cause any concern."

Main motive is to get more clarity and standard scanners improve their vulnerability detection logic which would help to reduce the FP counts :)

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/