Login Sign Up

CVE-2025-13021

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

A critical vulnerability in Firefox and Thunderbird's WebGPU component allows memory corruption due to incorrect boundary conditions. Attackers can exploit this to execute arbitrary code or cause denial of service. All users of Firefox < 145 and Thunderbird < 145 are affected.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: Firefox < 145, Thunderbird < 145
Operating Systems: Windows, macOS, Linux, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations with WebGPU enabled are vulnerable. WebGPU is enabled by default in recent Firefox versions.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser/email client crash (denial of service) or limited code execution within sandbox boundaries.

🟢

If Mitigated

No impact if patched or if WebGPU is disabled via enterprise policies.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites or email content without user interaction.
🏢 Internal Only: MEDIUM - Requires user to visit malicious internal sites or open crafted emails.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation likely requires minimal user interaction (visiting a malicious website). No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 145, Thunderbird 145

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-87/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 145. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable WebGPU

all

Disables the vulnerable WebGPU component via configuration setting.

about:config → Set 'dom.webgpu.enabled' to false

🧯 If You Can't Patch

  • Block access to untrusted websites and email content
  • Use application allowlisting to prevent execution of vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check Firefox/Thunderbird version: Menu → Help → About Firefox/Thunderbird. If version is less than 145, system is vulnerable.

Check Version:

firefox --version  # Linux/macOS terminal

Verify Fix Applied:

Confirm version is 145 or higher in About dialog and verify 'dom.webgpu.enabled' is true (if re-enabled).

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs with WebGPU-related modules
  • Unexpected process termination of Firefox/Thunderbird

Network Indicators:

  • Connections to suspicious domains followed by browser crashes

SIEM Query:

source="firefox.log" AND ("crash" OR "segfault") AND "webgpu"

📊 Metadata

CVE ID: CVE-2025-13021
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-703
EPSS Score: 0.06% exploit probability (19.7th percentile)
Published: November 11, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13021, you might also want to check these:

CVE-2025-13022 9.8

A critical vulnerability in Firefox and Thunderbird's WebGPU component allows memory corruption due ...

Same vulnerability type (CWE-703)
CVE-2025-13023 9.8

A sandbox escape vulnerability in Firefox and Thunderbird's WebGPU component allows attackers to exe...

Same vulnerability type (CWE-703)
CVE-2025-13026 9.8

This CVE describes a sandbox escape vulnerability in Firefox and Thunderbird's WebGPU component due ...

Same vulnerability type (CWE-703)