After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. *This bug only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 137 and Thunderbird < 137.
https://www.mozilla.org/security/advisories/mfsa2025-23/