CVE-2025-1010
Published: 04 February 2025
Description
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Security Summary
CVE-2025-1010 is a use-after-free vulnerability (CWE-416) in the Custom Highlight API of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 135, Firefox ESR prior to 115.20 and 128.7, Thunderbird prior to 128.7 and 135. The issue allows an attacker to trigger memory corruption, resulting in a potentially exploitable crash, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by tricking a user into interacting with malicious content, such as visiting a crafted webpage, due to the requirement for user interaction (UI:R) and no privileges (PR:N). Successful exploitation could lead to high-impact confidentiality, integrity, and availability violations, potentially enabling arbitrary code execution or other severe outcomes from the memory corruption.
Mozilla's security advisories (MFSA 2025-07 through 2025-10) and the associated Bugzilla entry (1936982) confirm the vulnerability was addressed in the specified fixed releases. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to the patched versions to mitigate the risk.
Details
- CWE(s)