CVE-2025-13020 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: How do I fix CVE-2025-13020?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update. 4. Restart when prompted. For enterprise: Deploy updated packages via your management system.

Q: What is the severity of CVE-2025-13020?

CVE-2025-13020 has a CVSS score of 8.8 (HIGH). This CVE describes a use-after-free vulnerability in the WebRTC audio/video component of Mozilla products. It allows attackers to execute arbitrary code or cause denial of service by exploiting memory corruption after freeing. Affected users include anyone running vulnerable versions of Firefox, Firefox ESR, or Thunderbird.

📋 TL;DR

This CVE describes a use-after-free vulnerability in the WebRTC audio/video component of Mozilla products. It allows attackers to execute arbitrary code or cause denial of service by exploiting memory corruption after freeing. Affected users include anyone running vulnerable versions of Firefox, Firefox ESR, or Thunderbird.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, Thunderbird < 140.5

Operating Systems: Windows, Linux, macOS, Android

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable when using WebRTC features.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser/application crash (denial of service) or limited code execution within sandboxed context.

🟢

If Mitigated

Minimal impact if sandboxing works properly, potentially just application crash.

🌐 Internet-Facing: HIGH - Web browsers process untrusted content from the internet by design.

🏢 Internal Only: MEDIUM - Internal web applications could still trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires triggering specific WebRTC conditions but no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 145+, Firefox ESR 140.5+, Thunderbird 145+, Thunderbird 140.5+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-87/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update. 4. Restart when prompted. For enterprise: Deploy updated packages via your management system.

🔧 Temporary Workarounds

Disable WebRTC

all

Prevents exploitation by disabling the vulnerable component.

about:config → media.peerconnection.enabled = false

Use content security policies

all

Restrict WebRTC usage to trusted domains only.

Header: Content-Security-Policy: default-src 'self'; media-src 'self'

🧯 If You Can't Patch

Isolate affected systems from untrusted networks and websites.
Implement application allowlisting to prevent execution of malicious payloads.

🔍 How to Verify

Check if Vulnerable:

Check browser version in About dialog or via command: firefox --version | thunderbird --version

Check Version:

firefox --version (Linux/macOS) or check About dialog (Windows)

Verify Fix Applied:

Confirm version is Firefox ≥145, Firefox ESR ≥140.5, Thunderbird ≥145, or Thunderbird ≥140.5

📡 Detection & Monitoring

Log Indicators:

Browser crash logs with WebRTC/peerconnection references
Memory access violation errors in application logs

Network Indicators:

Unusual WebRTC STUN/TURN traffic patterns
Suspicious media stream initiation

SIEM Query:

source="*firefox*" OR source="*thunderbird*" AND (error="segmentation fault" OR error="access violation" OR "peerconnection")

📊 Metadata

CVE ID: CVE-2025-13020

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: November 11, 2025

Last Updated: November 19, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1995686 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-87/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-88/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-90/
https://www.mozilla.org/security/advisories/mfsa2025-91/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13020, you might also want to check these: