CVE-2025-8033NULL Pointer Dereference in Mozilla Firefox

CWE-476NULL Pointer Dereference14 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 69.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedJul 22
Latest updateFeb 2

Description

The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

NVDmozilla/firefox128.0128.13.0+3
NVDmozilla/thunderbird140.0140.1.0+2
Debianmozilla/thunderbird< 1:128.13.0esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-j6gx-vvh5-9mwh: The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref2025-07-22
OSV
CVE-2025-8033: The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref2025-07-22
CVEList
Incorrect JavaScript state machine for generators2025-07-22

📋Vendor Advisories

10
Ubuntu
Thunderbird vulnerabilities2026-02-02
Red Hat
firefox: thunderbird: Incorrect JavaScript state machine for generators2025-07-22
Debian
CVE-2025-8033: firefox - The JavaScript engine did not handle closed generators correctly and it was poss...2025
Mozilla
Mozilla Foundation Security Advisory 2025-59: CVE-2025-8033
Mozilla
Mozilla Foundation Security Advisory 2025-61: CVE-2025-8033
CVE-2025-8033 — NULL Pointer Dereference in Mozilla | cvebase