Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2025-AVI-1016
Vulnerability from certfr_avis - Published: 2025-11-17 - Updated: 2025-11-17
De multiples vulnérabilités ont été découvertes dans Mozilla Thunderbird. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Mozilla | Thunderbird | Thunderbird versions antérieures à 145 | ||
| Mozilla | Thunderbird | Thunderbird versions antérieures à 140.5 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Thunderbird versions ant\u00e9rieures \u00e0 145",
"product": {
"name": "Thunderbird",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Thunderbird versions ant\u00e9rieures \u00e0 140.5",
"product": {
"name": "Thunderbird",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-13024",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13024"
},
{
"name": "CVE-2025-13022",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13022"
},
{
"name": "CVE-2025-13019",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13019"
},
{
"name": "CVE-2025-13016",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13016"
},
{
"name": "CVE-2025-13023",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13023"
},
{
"name": "CVE-2025-13018",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13018"
},
{
"name": "CVE-2025-13012",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13012"
},
{
"name": "CVE-2025-13020",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13020"
},
{
"name": "CVE-2025-13021",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13021"
},
{
"name": "CVE-2025-13017",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13017"
},
{
"name": "CVE-2025-13025",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13025"
},
{
"name": "CVE-2025-13015",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13015"
},
{
"name": "CVE-2025-13014",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13014"
},
{
"name": "CVE-2025-13027",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13027"
},
{
"name": "CVE-2025-13026",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13026"
},
{
"name": "CVE-2025-13013",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13013"
}
],
"initial_release_date": "2025-11-17T00:00:00",
"last_revision_date": "2025-11-17T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1016",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-11-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Mozilla Thunderbird. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9 et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Mozilla Thunderbird",
"vendor_advisories": [
{
"published_at": "2025-11-13",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-90",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-90/"
},
{
"published_at": "2025-11-12",
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2025-91",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2025-91/"
}
]
}
CVE-2025-13022 (GCVE-0-2025-13022)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Incorrect boundary conditions in the Graphics: WebGPU component
Summary
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Severity ?
9.8 (Critical)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
145 , ≤ *
(rpm)
|
|||||||
|
|||||||||
Credits
Atte Kettunen
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T15:22:10.419239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:56:14.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Atte Kettunen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:10.756Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1988488"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
}
],
"title": "Incorrect boundary conditions in the Graphics: WebGPU component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13022",
"datePublished": "2025-11-11T15:47:13.605Z",
"dateReserved": "2025-11-11T15:12:27.565Z",
"dateUpdated": "2026-04-13T14:26:10.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13016 (GCVE-0-2025-13016)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Incorrect boundary conditions in the JavaScript: WebAssembly component
Summary
Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
Severity ?
7.5 (High)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
140.5 , ≤ 140.*
(rpm)
Unaffected: 145 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Igor Morgenstern
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T15:12:45.698841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:51:51.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Igor Morgenstern"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"value": "Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:21.119Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992130"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Incorrect boundary conditions in the JavaScript: WebAssembly component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13016",
"datePublished": "2025-11-11T15:47:14.370Z",
"dateReserved": "2025-11-11T15:12:13.864Z",
"dateUpdated": "2026-04-13T14:26:21.119Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13023 (GCVE-0-2025-13023)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component
Summary
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Severity ?
9.8 (Critical)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
145 , ≤ *
(rpm)
|
|||||||
|
|||||||||
Credits
Oskar L
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T15:18:41.244453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:55:34.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Oskar L"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"value": "Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:18.949Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992032"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
}
],
"title": "Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13023",
"datePublished": "2025-11-11T15:47:13.943Z",
"dateReserved": "2025-11-11T15:12:29.824Z",
"dateUpdated": "2026-04-13T14:26:18.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13014 (GCVE-0-2025-13014)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Use-after-free in the Audio/Video component
Summary
Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
Severity ?
8.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
115.30 , ≤ 115.*
(rpm)
Unaffected: 140.5 , ≤ 140.* (rpm) Unaffected: 145 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Andrew Osmond
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13014",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T15:33:45.863353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T15:00:09.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "115.*",
"status": "unaffected",
"version": "115.30",
"versionType": "rpm"
},
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andrew Osmond"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5."
}
],
"value": "Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:38.013Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1994241"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-89/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Use-after-free in the Audio/Video component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13014",
"datePublished": "2025-11-11T15:47:12.313Z",
"dateReserved": "2025-11-11T15:12:08.629Z",
"dateUpdated": "2026-04-13T14:26:38.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13017 (GCVE-0-2025-13017)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Same-origin policy bypass in the DOM: Notifications component
Summary
Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
Severity ?
8.1 (High)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
140.5 , ≤ 140.*
(rpm)
Unaffected: 145 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Mochammad Nosa Shandy Prastyo
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13017",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T15:14:51.986912Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942 Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:48:48.269Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Mochammad Nosa Shandy Prastyo"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"value": "Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:28.500Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1980904"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Same-origin policy bypass in the DOM: Notifications component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13017",
"datePublished": "2025-11-11T15:47:16.109Z",
"dateReserved": "2025-11-11T15:12:15.878Z",
"dateUpdated": "2026-04-13T14:26:28.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13018 (GCVE-0-2025-13018)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Mitigation bypass in the DOM: Security component
Summary
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
Severity ?
8.1 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
140.5 , ≤ 140.*
(rpm)
Unaffected: 145 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Daniel Veditz
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T15:10:48.076563Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:48:17.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Daniel Veditz"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:30.229Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984940"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Mitigation bypass in the DOM: Security component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13018",
"datePublished": "2025-11-11T15:47:16.458Z",
"dateReserved": "2025-11-11T15:12:17.945Z",
"dateUpdated": "2026-04-13T14:26:30.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13013 (GCVE-0-2025-13013)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Mitigation bypass in the DOM: Core & HTML component
Summary
Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
Severity ?
6.1 (Medium)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
115.30 , ≤ 115.*
(rpm)
Unaffected: 140.5 , ≤ 140.* (rpm) Unaffected: 145 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Masato Kinugawa
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13013",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T15:35:19.621478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T15:00:27.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "115.*",
"status": "unaffected",
"version": "115.30",
"versionType": "rpm"
},
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Masato Kinugawa"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Mitigation bypass in the DOM: Core \u0026 HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5."
}
],
"value": "Mitigation bypass in the DOM: Core \u0026 HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:34.039Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1991945"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-89/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Mitigation bypass in the DOM: Core \u0026 HTML component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13013",
"datePublished": "2025-11-11T15:47:11.849Z",
"dateReserved": "2025-11-11T15:12:05.806Z",
"dateUpdated": "2026-04-13T14:26:34.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13021 (GCVE-0-2025-13021)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Incorrect boundary conditions in the Graphics: WebGPU component
Summary
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Severity ?
9.8 (Critical)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
145 , ≤ *
(rpm)
|
|||||||
|
|||||||||
Credits
Atte Kettunen
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T15:25:13.429057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:56:51.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Atte Kettunen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:08.726Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1986431"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
}
],
"title": "Incorrect boundary conditions in the Graphics: WebGPU component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13021",
"datePublished": "2025-11-11T15:47:13.214Z",
"dateReserved": "2025-11-11T15:12:25.134Z",
"dateUpdated": "2026-04-13T14:26:08.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13025 (GCVE-0-2025-13025)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Incorrect boundary conditions in the Graphics: WebGPU component
Summary
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Severity ?
7.5 (High)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
145 , ≤ *
(rpm)
|
|||||||
|
|||||||||
Credits
Oskar L
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13025",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T15:20:52.178382Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:49:52.905Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Oskar L"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:24.598Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1994022"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
}
],
"title": "Incorrect boundary conditions in the Graphics: WebGPU component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13025",
"datePublished": "2025-11-11T15:47:15.246Z",
"dateReserved": "2025-11-11T15:12:34.232Z",
"dateUpdated": "2026-04-13T14:26:24.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13019 (GCVE-0-2025-13019)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Same-origin policy bypass in the DOM: Workers component
Summary
Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
Severity ?
8.1 (High)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
140.5 , ≤ 140.*
(rpm)
Unaffected: 145 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Oskar L
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:59:56.437129Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942 Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:47:26.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Oskar L"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"value": "Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:31.931Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1988412"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Same-origin policy bypass in the DOM: Workers component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13019",
"datePublished": "2025-11-11T15:47:16.759Z",
"dateReserved": "2025-11-11T15:12:20.399Z",
"dateUpdated": "2026-04-13T14:26:31.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13027 (GCVE-0-2025-13027)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Memory safety bugs fixed in Firefox 145 and Thunderbird 145
Summary
Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Severity ?
8.1 (High)
CWE
- CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
145 , ≤ *
(rpm)
|
|||||||
|
|||||||||
Credits
The Mozilla Fuzzing Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13027",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T04:55:42.430638Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:57:57.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The Mozilla Fuzzing Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"value": "Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:42.181Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"name": "Memory safety bugs fixed in Firefox 145 and Thunderbird 145",
"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1987237%2C1990079%2C1991715%2C1994994"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
}
],
"title": "Memory safety bugs fixed in Firefox 145 and Thunderbird 145"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13027",
"datePublished": "2025-11-11T15:47:17.570Z",
"dateReserved": "2025-11-11T15:12:38.453Z",
"dateUpdated": "2026-04-13T14:26:42.181Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13026 (GCVE-0-2025-13026)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component
Summary
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Severity ?
9.8 (Critical)
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
145 , ≤ *
(rpm)
|
|||||||
|
|||||||||
Credits
Jamie Nicol
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T15:17:23.471803Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:49:13.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jamie Nicol"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"value": "Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:26.316Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1994441"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
}
],
"title": "Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13026",
"datePublished": "2025-11-11T15:47:15.695Z",
"dateReserved": "2025-11-11T15:12:36.214Z",
"dateUpdated": "2026-04-13T14:26:26.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13012 (GCVE-0-2025-13012)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Race condition in the Graphics component
Summary
Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
Severity ?
7.5 (High)
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
115.30 , ≤ 115.*
(rpm)
Unaffected: 140.5 , ≤ 140.* (rpm) Unaffected: 145 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Irvan Kurniawan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13012",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T15:37:17.364224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T15:00:50.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "115.*",
"status": "unaffected",
"version": "115.30",
"versionType": "rpm"
},
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Irvan Kurniawan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5."
}
],
"value": "Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:13.190Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1991458"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-89/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Race condition in the Graphics component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13012",
"datePublished": "2025-11-11T15:47:11.434Z",
"dateReserved": "2025-11-11T15:12:03.494Z",
"dateUpdated": "2026-04-13T14:26:13.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13024 (GCVE-0-2025-13024)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
JIT miscompilation in the JavaScript Engine: JIT component
Summary
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Severity ?
9.8 (Critical)
CWE
- CWE-733 - Compiler Optimization Removal or Modification of Security-critical Code
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
145 , ≤ *
(rpm)
|
|||||||
|
|||||||||
Credits
Project KillFuzz of Qrious Secure
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13024",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T15:09:23.127652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-733",
"description": "CWE-733 Compiler Optimization Removal or Modification of Security-critical Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:50:35.468Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Project KillFuzz of Qrious Secure"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:22.837Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992902"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
}
],
"title": "JIT miscompilation in the JavaScript Engine: JIT component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13024",
"datePublished": "2025-11-11T15:47:14.756Z",
"dateReserved": "2025-11-11T15:12:32.221Z",
"dateUpdated": "2026-04-13T14:26:22.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13020 (GCVE-0-2025-13020)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Use-after-free in the WebRTC: Audio/Video component
Summary
Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
Severity ?
8.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Mozilla | Firefox |
Unaffected:
140.5 , ≤ 140.*
(rpm)
Unaffected: 145 , ≤ * (rpm) |
|||||||
|
|||||||||
Credits
Andreas Pehrson
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:56:55.388656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416 Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:47:09.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andreas Pehrson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"value": "Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:35.933Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1995686"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"
}
],
"title": "Use-after-free in the WebRTC: Audio/Video component"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13020",
"datePublished": "2025-11-11T15:47:17.203Z",
"dateReserved": "2025-11-11T15:12:22.873Z",
"dateUpdated": "2026-04-13T14:26:35.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13015 (GCVE-0-2025-13015)
Vulnerability from cvelistv5 – Published: 2025-11-11 15:47 – Updated: 2026-04-13 14:26
VLAI?
EPSS
Title
Spoofing issue in Firefox
Summary
Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30.
Severity ?
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
Impacted products
Credits
Eemeli Aro
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.4,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-13015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-13T15:30:38.052400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290 Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T14:57:10.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThanOrEqual": "115.*",
"status": "unaffected",
"version": "115.30",
"versionType": "rpm"
},
{
"lessThanOrEqual": "140.*",
"status": "unaffected",
"version": "140.5",
"versionType": "rpm"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "145",
"versionType": "rpm"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Eemeli Aro"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30."
}
],
"value": "Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T14:26:40.252Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1994164"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2025-89/"
}
],
"title": "Spoofing issue in Firefox"
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2025-13015",
"datePublished": "2025-11-11T15:47:12.707Z",
"dateReserved": "2025-11-11T15:12:11.401Z",
"dateUpdated": "2026-04-13T14:26:40.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…