CVE-2025-1013 – A race condition vulnerability in Mozilla Firef... (How to Fix)

Q: How do I fix CVE-2025-1013?

1. Open the affected application (Firefox or Thunderbird). 2. Click the menu button (three horizontal lines). 3. Select Help > About Firefox/Thunderbird. 4. The application will check for updates and install if available. 5. Restart the application when prompted.

Q: What is the severity of CVE-2025-1013?

CVE-2025-1013 has a CVSS score of 6.5 (MEDIUM). A race condition vulnerability in Mozilla Firefox, Firefox ESR, and Thunderbird could cause private browsing tabs to open in normal browsing windows, potentially leaking private browsing data. This affects users running vulnerable versions of these applications. The vulnerability could expose browsing history, cookies, and other private data.

📋 TL;DR

A race condition vulnerability in Mozilla Firefox, Firefox ESR, and Thunderbird could cause private browsing tabs to open in normal browsing windows, potentially leaking private browsing data. This affects users running vulnerable versions of these applications. The vulnerability could expose browsing history, cookies, and other private data.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird

Versions: Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, Thunderbird < 135

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable when private browsing mode is used.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Private browsing session data (history, cookies, form data) becomes accessible in normal browsing windows, potentially exposing sensitive user information to other users or attackers with access to the system.

🟠

Likely Case

Intermittent privacy leaks where private browsing data briefly appears in normal windows, potentially exposing browsing history or session data.

🟢

If Mitigated

Minimal impact if users don't use private browsing or if proper browser isolation practices are followed.

🌐 Internet-Facing: LOW - This is a client-side vulnerability requiring local access or user interaction, not directly exploitable over the internet.

🏢 Internal Only: MEDIUM - Risk exists for shared workstations or systems where multiple users might access private browsing data accidentally leaked to normal windows.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires race condition timing and user interaction with private browsing mode. No public exploits have been reported.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 135+, Firefox ESR 128.7+, Thunderbird 128.7+, Thunderbird 135+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-07/

Restart Required: Yes

Instructions:

1. Open the affected application (Firefox or Thunderbird). 2. Click the menu button (three horizontal lines). 3. Select Help > About Firefox/Thunderbird. 4. The application will check for updates and install if available. 5. Restart the application when prompted.

🔧 Temporary Workarounds

Disable Private Browsing

all

Prevent use of private browsing mode to eliminate the vulnerability surface.

Not applicable - configuration change in browser settings

Use Separate Browser Profiles

all

Create separate browser profiles for private browsing to isolate sessions.

firefox -CreateProfile "PrivateProfile"
thunderbird -CreateProfile "PrivateProfile"

🧯 If You Can't Patch

Avoid using private browsing mode on vulnerable versions
Clear browser history and cookies regularly to minimize potential data exposure

🔍 How to Verify

Check if Vulnerable:

Check the application version in Help > About Firefox/Thunderbird and compare with affected versions.

Check Version:

firefox --version (Linux/macOS) or check About dialog (Windows)

Verify Fix Applied:

Verify the application version is Firefox 135+, Firefox ESR 128.7+, Thunderbird 128.7+, or Thunderbird 135+.

📡 Detection & Monitoring

Log Indicators:

Browser logs showing unexpected window/tab creation events
Private browsing session logs appearing in normal session logs

Network Indicators:

None - this is a local client-side vulnerability

SIEM Query:

Not applicable for client-side privacy vulnerability

📊 Metadata

CVE ID: CVE-2025-1013

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-362

EPSS Score: 0.39% exploit probability (59.8th percentile)

Published: February 4, 2025

Last Updated: November 3, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1932555 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2025-07/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-09/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-10/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-11/ Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1013, you might also want to check these: