Login Sign Up

CVE-2025-13016

7.5 HIGH

📋 TL;DR

This vulnerability involves incorrect boundary conditions in the WebAssembly component of Firefox and Thunderbird, potentially allowing memory corruption. It affects users running vulnerable versions of Firefox, Firefox ESR, and Thunderbird. Attackers could exploit this to execute arbitrary code or cause denial of service.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, Thunderbird < 140.5
Operating Systems: All platforms supported by affected software
Default Config Vulnerable: ⚠️ Yes
Notes: All configurations with WebAssembly enabled (default) are vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation.

🟠

Likely Case

Browser/application crash (denial of service) or limited memory corruption.

🟢

If Mitigated

No impact if patched; sandboxing may limit damage if exploited.

🌐 Internet-Facing: HIGH - Web browsers process untrusted web content by design.
🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal sites or emails.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website or opening malicious email).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 145, Firefox ESR 140.5, Thunderbird 145, Thunderbird 140.5

Vendor Advisory: https://www.mozilla.org/security/advisories/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Go to Menu > Help > About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart when prompted.

🔧 Temporary Workarounds

Disable WebAssembly

all

Disables WebAssembly execution in browser, breaking some web functionality.

In Firefox/Thunderbird address bar, type 'about:config', search for 'javascript.options.wasm', set to false

🧯 If You Can't Patch

  • Restrict access to untrusted websites and email content.
  • Use application sandboxing or virtualization for browser instances.

🔍 How to Verify

Check if Vulnerable:

Check browser/email client version against affected versions.

Check Version:

Firefox/Thunderbird: Menu > Help > About Firefox/Thunderbird

Verify Fix Applied:

Confirm version is Firefox ≥145, Firefox ESR ≥140.5, Thunderbird ≥145, or Thunderbird ≥140.5.

📡 Detection & Monitoring

Log Indicators:

  • Browser/application crash logs with WebAssembly-related errors
  • Unexpected process termination

Network Indicators:

  • Requests to known malicious domains hosting exploit code

SIEM Query:

source="firefox.log" OR source="thunderbird.log" AND ("crash" OR "WebAssembly" OR "wasm")

📊 Metadata

CVE ID: CVE-2025-13016
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-703
EPSS Score: 0.06% exploit probability (17.4th percentile)
Published: November 11, 2025
Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13016, you might also want to check these:

CVE-2025-13021 9.8

A critical vulnerability in Firefox and Thunderbird's WebGPU component allows memory corruption due ...

Same vulnerability type (CWE-703)
CVE-2025-13022 9.8

A critical vulnerability in Firefox and Thunderbird's WebGPU component allows memory corruption due ...

Same vulnerability type (CWE-703)
CVE-2025-13023 9.8

A sandbox escape vulnerability in Firefox and Thunderbird's WebGPU component allows attackers to exe...

Same vulnerability type (CWE-703)