Login Sign Up

CVE-2025-13023

9.8 CRITICAL

📋 TL;DR

A sandbox escape vulnerability in Firefox and Thunderbird's WebGPU component allows attackers to execute arbitrary code outside browser sandbox restrictions. This affects all users running Firefox versions below 145 or Thunderbird versions below 145. The vulnerability stems from incorrect boundary condition handling in graphics processing.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: Firefox < 145, Thunderbird < 145
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. WebGPU must be enabled (default in affected versions).

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Arbitrary code execution with user privileges, enabling data exfiltration, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact due to defense-in-depth controls like application sandboxing, endpoint protection, and network segmentation preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user to visit malicious website or open malicious email. No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 145, Thunderbird 145

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-87/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update download and installation. 4. Restart browser when prompted.

🔧 Temporary Workarounds

Disable WebGPU

all

Temporarily disable WebGPU feature to prevent exploitation

about:config → Set 'dom.webgpu.enabled' to false

Use Content Security Policy

all

Implement strict CSP to block malicious scripts

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

  • Isolate affected systems from internet and untrusted networks
  • Implement application whitelisting to block unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check browser version: Firefox/Thunderbird → Help → About → Verify version is below 145

Check Version:

firefox --version (Linux) or check About dialog (Windows/macOS)

Verify Fix Applied:

Confirm version is 145 or higher in About dialog

📡 Detection & Monitoring

Log Indicators:

  • Unusual WebGPU API calls
  • Sandbox violation events
  • Process spawning from browser

Network Indicators:

  • Connections to suspicious domains after visiting websites
  • Unusual outbound traffic patterns

SIEM Query:

process_name:firefox.exe AND event_type:process_creation AND parent_process:firefox.exe

📊 Metadata

CVE ID: CVE-2025-13023
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-703
EPSS Score: 0.06% exploit probability (19.7th percentile)
Published: November 11, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13023, you might also want to check these:

CVE-2025-13021 9.8

A critical vulnerability in Firefox and Thunderbird's WebGPU component allows memory corruption due ...

Same vulnerability type (CWE-703)
CVE-2025-13022 9.8

A critical vulnerability in Firefox and Thunderbird's WebGPU component allows memory corruption due ...

Same vulnerability type (CWE-703)
CVE-2025-13026 9.8

This CVE describes a sandbox escape vulnerability in Firefox and Thunderbird's WebGPU component due ...

Same vulnerability type (CWE-703)