Use-After-Free Vulnerability in Firefox and Thunderbird Products by Mozilla
CVE-2025-1009

9.8CRITICAL

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 4 February 2025

Summary

A vulnerability exists in Mozilla's Firefox and Thunderbird products that could be exploited through crafted XSLT data, potentially leading to application crashes. Attackers may leverage this condition to disrupt services, highlighting the importance of maintaining updated versions to mitigate risks associated with this insecure implementation.

Affected Version(s)

Firefox < 135

Firefox ESR < 115.20

Firefox ESR < 128.7

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1936613

https://www.mozilla.org/security/advisories/mfsa2025-07/

https://www.mozilla.org/security/advisories/mfsa2025-08/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Feb 4, 2025

Credit

Ivan Fratric of Google Project Zero