CVE-2025-13022 – A critical vulnerability in Firefox and Thunder... (How to Fix)

Q: How do I fix CVE-2025-13022?

1. Open Firefox/Thunderbird. 2. Go to Settings > Help > About Firefox/Thunderbird. 3. Allow automatic update to version 145. 4. Restart the application.

Q: What is the severity of CVE-2025-13022?

CVE-2025-13022 has a CVSS score of 9.8 (CRITICAL). A critical vulnerability in Firefox and Thunderbird's WebGPU component allows memory corruption due to incorrect boundary conditions. Attackers can exploit this to execute arbitrary code or cause denial of service. All users running affected versions are at risk.

📋 TL;DR

A critical vulnerability in Firefox and Thunderbird's WebGPU component allows memory corruption due to incorrect boundary conditions. Attackers can exploit this to execute arbitrary code or cause denial of service. All users running affected versions are at risk.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Thunderbird

Versions: Firefox < 145, Thunderbird < 145

Operating Systems: Windows, Linux, macOS, Android

Default Config Vulnerable: ⚠️ Yes

Notes: WebGPU must be enabled (default in affected versions). All configurations with affected versions are vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser/email client crash (denial of service) or limited code execution in sandboxed context.

🟢

If Mitigated

Minimal impact if systems are patched, isolated, or have additional security controls.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites or emails without user interaction.

🏢 Internal Only: MEDIUM - Requires user to visit malicious internal sites or open malicious emails.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious WebGPU content but no authentication. No public exploits confirmed yet.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 145, Thunderbird 145

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-87/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Go to Settings > Help > About Firefox/Thunderbird. 3. Allow automatic update to version 145. 4. Restart the application.

🔧 Temporary Workarounds

Disable WebGPU

all

Temporarily disable the vulnerable WebGPU component.

In Firefox/Thunderbird address bar, type 'about:config', search for 'dom.webgpu.enabled', set to false

🧯 If You Can't Patch

Restrict access to untrusted websites and email content.
Use application sandboxing or isolation techniques.

🔍 How to Verify

Check if Vulnerable:

Check application version in About Firefox/Thunderbird. If version is below 145, system is vulnerable.

Check Version:

firefox --version (Linux) or check About menu (all platforms)

Verify Fix Applied:

Confirm version is 145 or higher in About dialog and verify WebGPU functionality if needed.

📡 Detection & Monitoring

Log Indicators:

Application crashes with WebGPU-related errors
Unexpected memory access patterns

Network Indicators:

Requests to known malicious domains hosting WebGPU exploit code

SIEM Query:

source="firefox.log" AND ("WebGPU" OR "gpu-process-crash")

📊 Metadata

CVE ID: CVE-2025-13022

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-703

EPSS Score: 0.06% exploit probability (19.7th percentile)

Published: November 11, 2025

Last Updated: November 19, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1988488 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-87/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-90/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13022, you might also want to check these: