[🐛 Bug]:firefox vunerablities CVE-2022-25235 & CVE-2022-25236

[e-dsouza]

What happened?

My org informed be about the firefox vulnerabilties with firefox version 134.0.2~build1 on the image 4.28.1-20250202

https://ubuntu.com/security/CVE-2022-25235
https://ubuntu.com/security/CVE-2022-25236

from the above links I see its fixed in 1:1snap1-0ubuntu1, What does this mean? will the next version have the fix? Please assist

firefox |
24.10 oracular | Fixed 1:1snap1-0ubuntu1
24.04 LTS noble | Fixed 1:1snap1-0ubuntu1
22.04 LTS jammy | Fixed 1:1snap1-0ubuntu1

Command used to start Selenium Grid with Docker (or Kubernetes)

vulnerability scan by my org

Relevant log output

N/A - i used dpkg -s firefox, it has version 134.0.2~build1

Operating System

OpenShift

Docker Selenium version (image tag)

4.28.1-20250202

Selenium Grid chart version (chart version)

none

[github-actions]

@e-dsouza, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[VietND96]

Can you early scan the image tag nightly and confirm?

[e-dsouza]

@VietND96 yes nightly version has same vulnerablities with firefox 135.0.1~build1

I was told selenium/node-firefox:beta version has no vulnerablities. Is that something we can use or recommended? Thank you

[VietND96]

Ah ok, so it is CVE from Firefox binary. The current latest stable is 135.0.1, the image tag beta I guess it is ongoing with 136.0
The base image is the same, just different on the browser version.

[e-dsouza]

@VietND96 Thanks

beta does not seems to be having firefox in it yet.

based on these links
https://ubuntu.com/security/CVE-2022-25235
https://ubuntu.com/security/CVE-2022-25236
, it is fixed in 1:1snap1-0ubuntu1.

not sure what 1:1snap1-0ubuntu1 is.

so what are the next steps? contact Mozilla? is there a way?

[e-dsouza]

@VietND96 I was told selenium/node-firefox:4.26.0-20241101 doesn't have vulnerablity so I downgraded it for now. Question - so 4.26 version doesn't use firefox binary? uses something different? What changed?

[VietND96]

Via Docker Scout, I can see those 2 CVEs come from Firefox deb only. So, I think we only need wait for next version in Firefox for the fix

[VietND96]

Here is the result of dev image, where Firefox deb v136.0 is installed, there is no CVE result anymore, it means the next stable version will contain the fix. Wait for that version come to stable channel then we can pick it up

[e-dsouza]

@VietND96 Thank you. I will close this issue.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.