The Tor Project has released Tor Browser 15.0.1 , fixing critical security vulnerabilities inherited from Firefox 140.5.0esr.
This maintenance release offers essential protections for privacy-conscious users who rely on anonymous browsing.
The update includes a complete overhaul of Firefox 140.5.0esr, incorporating essential security patches from Mozilla’s latest extended support release.
Tor Browser 15.0.1 is now available on the official download page and in the Tor Browser distribution directory.
Key improvements include updates to the NoScript extension (version 13.4) and fixes that address several critical bugs affecting core functionality.
The release fixes zoom level persistence issues, where default zoom settings are unexpectedly reset to 100%, a common frustration for users with specific zoom preferences.
The update includes security fixes backported from Firefox ESR 145 and addresses eight documented vulnerabilities identified in the underlying Firefox engine.
They range from high-impact flaws affecting graphics rendering and WebAssembly operations to moderate-severity issues involving policy bypass and memory management.
| CVE ID | Vulnerability Type | Impact | Component |
|---|---|---|---|
| CVE-2025-13012 | Race condition | High | Graphics |
| CVE-2025-13016 | Incorrect boundary conditions | High | JavaScript: WebAssembly |
| CVE-2025-13017 | Same-origin policy bypass | Moderate | DOM: Notifications |
| CVE-2025-13018 | Mitigation bypass | Moderate | DOM: Security |
| CVE-2025-13019 | Same-origin policy bypass | Moderate | DOM: Workers |
| CVE-2025-13013 | Mitigation bypass | Moderate | DOM: Core & HTML |
| CVE-2025-13020 | Use-after-free | Moderate | WebRTC: Audio/Video |
| CVE-2025-13014 | Use-after-free | Moderate | Audio/Video |
All platforms benefit from the NoScript extension update and bug fixes. Windows, macOS, and Linux users also benefit from integration with Firefox 140.5.0esr, with fixes for the issue that affects the visibility of the update message on about:tor pages.
Linux users can especially benefit from the restoration of Noto CJK fonts, the replacement of less readable Jigmo fonts, and the resolution of font rendering issues in the auto-update dialog.
Android users now benefit from improved handling of the extension update process, which previously failed on mobile devices. GeckoView has been updated to version 140.5.0esr to accommodate desktop builds.
The build system has received maintenance updates, including a Go version update to 1.24.10 on Windows, Linux, and Android platforms.
Android-specific improvements streamline the signing and zipalign processes, reducing redundant operations during release builds.
Users can download Tor Browser 15.0.1 directly from the official Tor Project website. Those experiencing issues or wanting new features are encouraged to submit feedback through the dedicated bug reporting channel on the Tor support portal.
The full changelog documents all changes, including improvements to the internal build system, ensuring long-term maintenance stability for the privacy-focused browser.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
