CVE-2025-1011
Published: 04 February 2025
Description
A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Security Summary
CVE-2025-1011 is a vulnerability in the WebAssembly code generation component of Mozilla Firefox and Thunderbird products. The issue manifests as a bug that could cause a crash and potentially be leveraged by an attacker to achieve arbitrary code execution. It affects versions of Firefox prior to 135, Firefox ESR prior to 128.7, Thunderbird prior to 128.7, and Thunderbird prior to 135, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and association to CWE-94 (Code Injection).
An attacker can exploit this vulnerability remotely over the network with low complexity and no required privileges, though it necessitates user interaction, such as visiting a malicious site or opening a crafted file. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, including the potential for code execution within the browser's sandboxed environment.
Mozilla addressed the vulnerability in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135, as detailed in security advisories MFSA 2025-07, MFSA 2025-09, MFSA 2025-10, and MFSA 2025-11, along with Bugzilla entry 1936454. Security practitioners should prioritize updating affected products to these patched versions to mitigate the risk.
Details
- CWE(s)