CVE-2025-1009 – A use-after-free vulnerability in Firefox and T... (How to Fix)

Q: How do I fix CVE-2025-1009?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

Q: What is the severity of CVE-2025-1009?

CVE-2025-1009 has a CVSS score of 9.8 (CRITICAL). A use-after-free vulnerability in Firefox and Thunderbird allows attackers to cause potentially exploitable crashes via crafted XSLT data. This affects Firefox versions below 135 and specific ESR versions, plus Thunderbird versions below 128.7 and 135. Successful exploitation could lead to arbitrary code execution.

📋 TL;DR

A use-after-free vulnerability in Firefox and Thunderbird allows attackers to cause potentially exploitable crashes via crafted XSLT data. This affects Firefox versions below 135 and specific ESR versions, plus Thunderbird versions below 128.7 and 135. Successful exploitation could lead to arbitrary code execution.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird

Versions: Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, Thunderbird < 135

Operating Systems: Windows, Linux, macOS, Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. XSLT processing is enabled by default in affected browsers/email clients.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the browser/email client user, potentially leading to full system compromise.

🟠

Likely Case

Browser/application crash leading to denial of service, with potential for code execution if combined with other vulnerabilities.

🟢

If Mitigated

Limited to denial of service if sandboxing and other browser security features prevent full exploitation.

🌐 Internet-Facing: HIGH - Attackers can exploit via malicious web pages or emails without user interaction beyond visiting/opening.

🏢 Internal Only: MEDIUM - Requires user to visit malicious internal sites or open crafted emails, but internal threats exist.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious XSLT data, but no public proof-of-concept has been released. The high CVSS score suggests reliable exploitation is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 135+, Firefox ESR 115.20+, Firefox ESR 128.7+, Thunderbird 128.7+, Thunderbird 135+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-07/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable XSLT processing

all

Disables XSLT transformation functionality in Firefox/Thunderbird to prevent exploitation.

about:config → Set 'dom.xslt.enabled' to false

🧯 If You Can't Patch

Restrict access to untrusted websites and email sources
Implement application whitelisting to prevent execution of malicious code

🔍 How to Verify

Check if Vulnerable:

Check browser/email client version against affected versions list.

Check Version:

Firefox/Thunderbird: about:support → Application Basics → Version

Verify Fix Applied:

Confirm version is equal to or higher than patched versions: Firefox ≥135, Firefox ESR ≥115.20 or ≥128.7, Thunderbird ≥128.7 or ≥135.

📡 Detection & Monitoring

Log Indicators:

Browser/email client crash logs with XSLT-related stack traces
Unexpected process termination events

Network Indicators:

Requests to domains serving XSLT content
Unusual outbound connections after visiting sites with XSLT

SIEM Query:

EventID=1000 OR EventID=1001 AND ProcessName="firefox.exe" OR ProcessName="thunderbird.exe" AND Keywords contains "XSLT"

📊 Metadata

CVE ID: CVE-2025-1009

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 1% exploit probability (76.6th percentile)

Published: February 4, 2025

Last Updated: November 3, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1936613 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-07/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-08/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-09/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-10/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-11/ Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/02/msg00005.html
https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1009, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Firefox by Mozilla

Firefox by Mozilla

Firefox by Mozilla

Thunderbird by Mozilla

Thunderbird by Mozilla

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable XSLT processing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities