The Indian Computer Emergency Response Team (CERT-In) has issued a vulnerability note (CIVN-2025-0016) highlighting a series of Mozilla vulnerability, including Firefox and Thunderbird.
These vulnerabilities, which have a high severity rating, could have far-reaching implications for users by potentially allowing remote attackers to conduct spoofing attacks, disclose sensitive information, execute arbitrary code, or trigger denial of service (DoS) conditions on affected systems.
Affected Software Versions
The vulnerabilities in Mozilla products impact a variety of software versions. Users of the following versions should be particularly cautious:
- Mozilla Firefox: Versions prior to 135
- Mozilla Firefox ESR: Versions prior to 115.20 and 128.7
- Mozilla Thunderbird: Versions prior to 135
- Mozilla Thunderbird ESR: Versions prior to 128.7
Given the critical nature of these vulnerabilities, all organizations and individuals using Mozilla Firefox or Thunderbird are urged to update their software promptly to mitigate the risks.
Vulnerabilities in Mozilla Products
The vulnerabilities identified span a wide range of issues, including use-after-free errors, memory safety bugs, and problems with certificate validation. These flaws expose systems to multiple attack vectors, putting users at risk of unauthorized access, system crashes, and data breaches.
Key Mozilla Vulnerabilities Identified
- Use-After-Free in XSLT: Reported as CVE-2025-1009, this flaw in the XSLT component of Mozilla products could cause a crash when manipulated with specially crafted XSLT data. This high-impact vulnerability can be exploited to destabilize the system and potentially lead to code execution.
- Use-After-Free in Custom Highlight: CVE-2025-1010 pertains to the Custom Highlight API. If exploited, an attacker could trigger a crash, further compromising system stability and security.
- Memory Safety Bugs: Multiple instances of memory safety bugs were reported, including CVE-2025-1016, CVE-2025-1017, and CVE-2025-1020. These vulnerabilities are highly dangerous as they could lead to arbitrary code execution, providing attackers with control over the affected systems.
- WebAssembly Code Generation Bug: CVE-2025-1011 points to a WebAssembly bug that could lead to crashes, potentially opening the door for code execution attacks. This moderate impact flaw poses a critical risk, especially for systems running WebAssembly applications.
- Double-Free Vulnerability in PKCS#7 Decryption: CVE-2024-11704 refers to a double-free vulnerability in PKCS#7 decryption handling. While the risk is considered lower, exploitation could result in memory corruption, further destabilizing the system.
- Private Browsing Tab Leak: A low-impact issue, CVE-2025-1013, could cause private browsing tabs to open in normal windows. Although this vulnerability doesn’t carry significant risk by itself, it compromises user privacy and could expose browsing history.
- Email Sender Spoofing: A particularly concerning vulnerability, CVE-2025-0510, enables email sender spoofing in Thunderbird. This high-impact flaw could allow a malicious actor to manipulate the sender’s address, making it difficult for users to trust the authenticity of incoming emails.
- Fullscreen Notification Issues: CVE-2025-1018 and CVE-2025-1019 address issues related to fullscreen notifications. Exploitation of these vulnerabilities could allow attackers to hide fullscreen notifications, leading to spoofing attacks.
- Improper Certificate Length Validation: CVE-2025-1014 concerns improper certificate length validation when certificates are added to stores. While the risk is low, this flaw could be leveraged by attackers to execute malicious actions.
Exploiting Mozilla Vulnerabilities
Mozilla vulnerabilities, such as those identified in CIVN-2025-0016, can be exploited remotely by attackers through specially crafted web requests. Users could unknowingly trigger these attacks by visiting malicious websites or opening malicious email attachments. The impact of these vulnerabilities ranges from system crashes to severe data breaches and the full compromise of a system.
Successful exploitation of these flaws could result in an attacker gaining unauthorized access to sensitive information, executing arbitrary code, or causing disruptions through denial of service. As such, the Mozilla vulnerabilities highlighted in CERT-In’s report represent a security risk that should not be underestimated.
Security Fixes and Patches
Mozilla has responded swiftly to these vulnerabilities, releasing a series of security fixes across its product range. On February 4, 2025, Mozilla announced the following updates addressing the reported flaws:
- Firefox 135: Fixed several high-impact vulnerabilities, including the use-after-free flaws in XSLT and Custom Highlight (CVE-2025-1009 and CVE-2025-1010).
- Firefox ESR 115.20 and 128.7: Both releases included patches for critical vulnerabilities, such as memory safety bugs and use-after-free errors.
- Thunderbird 135 and ESR 128.7: Updates were also rolled out for Thunderbird, addressing similar vulnerabilities that affect the email client, including email sender spoofing and the WebAssembly bug.
These updates are crucial in mitigating the risk associated with Mozilla vulnerabilities and should be installed by all users of Mozilla Firefox and Thunderbird as soon as possible.
Conclusion
The vulnerabilities in Mozilla products highlighted by CERT-In’s vulnerability note (CIVN-2025-0016) highlight the importance of timely software updates. With high-impact flaws affecting Mozilla Firefox and Thunderbird, users are strongly encouraged to apply the latest patches and stay vigilant for any signs of exploitation.
The identified vulnerabilities could allow attackers to access sensitive data, execute malicious code, or cause disruptions to users’ systems. As always, maintaining up-to-date software is essential to protect against these and other potential security threats.