CVE-2025-0240Use After Free in Mozilla Firefox

CWE-416Use After Free13 documents8 sources
Severity
4.0MEDIUMNVD
OSV5.4
EPSS
0.0%
top 85.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedJan 7
Latest updateFeb 2

Description

Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.5 | Impact: 1.4

Affected Packages4 packages

NVDmozilla/thunderbird129.0134.0+1
Debianmozilla/thunderbird< 1:128.6.0esr-1~deb11u1+3
NVDmozilla/firefox< 128.6.0+1
Ubuntumozilla/firefox< 134.0+build1-0ubuntu0.20.04.1

🔴Vulnerability Details

4
OSV
firefox vulnerabilities2025-01-09
GHSA
GHSA-f3xq-g93v-w8cv: Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free2025-01-07
CVEList
Compartment mismatch when parsing JavaScript JSON module2025-01-07
OSV
CVE-2025-0240: Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free2025-01-07

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2026-02-02
Ubuntu
Firefox vulnerabilities2025-01-09
Red Hat
firefox: Compartment mismatch when parsing JavaScript JSON module2025-01-07
Debian
CVE-2025-0240: firefox - Parsing a JavaScript module as JSON could, under some circumstances, cause cross...2025
Mozilla
Mozilla Foundation Security Advisory 2025-04: CVE-2025-0240
CVE-2025-0240 — Use After Free in Mozilla Firefox | cvebase