CVE-2025-1017
Published: 04 February 2025
Description
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Security Summary
CVE-2025-1017 is a set of memory safety bugs, classified under CWE-787 (Out-of-bounds Write), affecting Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. These bugs exhibited evidence of memory corruption, which Mozilla presumes could be exploited with sufficient effort to achieve arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, no user interaction, and no change in scope. Successful exploitation could allow arbitrary code execution on affected systems, potentially leading to full compromise of the browser or email client.
Mozilla's security advisories (MFSA 2025-07, 09, 10, and 11) detail the fixes applied in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135. Security practitioners should prioritize updating to these patched versions, with additional details available in the referenced Bugzilla entries for the underlying bugs (1926256, 1935984, 1935471).
Details
- CWE(s)