CVE-2025-1020
Published: 04 February 2025
Description
Memory safety bugs present in Firefox 134 and Thunderbird 134. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 135 and Thunderbird 135.
Security Summary
CVE-2025-1020 is a set of memory safety bugs (classified under CWE-787: Out-of-bounds Write) affecting Firefox version 134 and Thunderbird version 134. These bugs exhibited evidence of memory corruption, which Mozilla presumes could be exploited with sufficient effort to achieve arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.
The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing scope (S:U). An attacker could leverage it to gain high-impact access to confidentiality (C:H), integrity (I:H), and availability (A:H), potentially fully compromising affected browsers or email clients.
Mozilla's security advisories (MFSA 2025-07 and MFSA 2025-11) detail the fixes applied in Firefox 135 and Thunderbird 135, recommending immediate upgrades to these patched versions. Additional technical details are available in the associated Bugzilla entries for bugs 1939063 and 1942169.
Details
- CWE(s)