Login Sign Up

CVE-2025-13025

7.5 HIGH

📋 TL;DR

This vulnerability involves incorrect boundary conditions in Firefox and Thunderbird's WebGPU component, allowing memory corruption. Attackers could exploit this to execute arbitrary code or cause denial of service. Users of Firefox < 145 or Thunderbird < 145 are affected.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: Firefox < 145, Thunderbird < 145
Operating Systems: Windows, macOS, Linux, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations with WebGPU enabled are vulnerable. WebGPU is enabled by default in recent Firefox versions.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or malware installation.

🟠

Likely Case

Browser crash or denial of service, potentially enabling sandbox escape in combination with other vulnerabilities.

🟢

If Mitigated

Limited impact due to sandboxing, but potential for memory corruption within the browser process.

🌐 Internet-Facing: HIGH - Web browsers directly interact with untrusted internet content.
🏢 Internal Only: MEDIUM - Risk exists if users access malicious internal web content or emails.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user to visit a malicious website or open a malicious email. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 145, Thunderbird 145

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-87/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 145. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable WebGPU

all

Temporarily disable the WebGPU feature to prevent exploitation.

In Firefox/Thunderbird address bar, type: about:config
Search for: dom.webgpu.enabled
Set to: false

🧯 If You Can't Patch

  • Disable JavaScript in Firefox/Thunderbird settings to reduce attack surface.
  • Use alternative browsers/email clients until patches can be applied.

🔍 How to Verify

Check if Vulnerable:

Check Firefox/Thunderbird version in Help → About. If version is less than 145, the system is vulnerable.

Check Version:

firefox --version (Linux) or check About dialog on Windows/macOS

Verify Fix Applied:

Confirm version is 145 or higher in Help → About. Verify WebGPU functionality works normally if needed.

📡 Detection & Monitoring

Log Indicators:

  • Browser crash reports with WebGPU-related stack traces
  • Unexpected process termination of Firefox/Thunderbird

Network Indicators:

  • Requests to suspicious domains hosting WebGPU content
  • Unusual WebGPU API calls in web traffic

SIEM Query:

source="firefox.log" AND ("crash" OR "WebGPU" OR "out-of-bounds")

📊 Metadata

CVE ID: CVE-2025-13025
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-276
EPSS Score: 0.04% exploit probability (12.5th percentile)
Published: November 11, 2025
Last Updated: November 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13025, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)