CVE-2025-1009
Published: 04 February 2025
Description
An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Security Summary
CVE-2025-1009 is a use-after-free vulnerability (CWE-416) in the processing of crafted XSLT data, which could lead to a potentially exploitable crash. It affects Mozilla Firefox versions prior to 135, Firefox ESR prior to 115.20 and 128.7, Thunderbird prior to 128.7 and 135. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.
Any remote attacker can exploit this vulnerability without privileges or user interaction by tricking a target into processing malicious XSLT data, such as via a malicious webpage or document. Successful exploitation could result in arbitrary code execution, data theft, or denial of service, as the use-after-free may allow memory corruption leading beyond a mere crash.
Mozilla's security advisories (MFSA 2025-07 through 2025-10) and Bugzilla entry 1936613 detail the fix, recommending immediate upgrades to Firefox 135, Firefox ESR 115.20 or 128.7, Thunderbird 128.7 or 135. No workarounds are specified beyond applying the patches.
Details
- CWE(s)