CVE-2025-0240

MEDIUM EPSS 47.1%
Published Jan 7, 20251y ago · Modified Jun 17, 20262w ago
4.0 CVSS 3.1
Medium
Find Similar
Published Jan 7, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.

CVSS Details

Base Score
4.0
Exploitability
2.5
Impact
1.4
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
47.1% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 4

VendorProductVersionRange
mozillafirefox* <128.6.0
mozillafirefox* <134.0
mozillathunderbird* <128.6.0
mozillathunderbird*≥129.0  –  <134.0

References 6

  • bugzilla.mozilla.org https://bugzilla.mozilla.org/show_bug.cgi?id=1929623
    Issue TrackingPermissions Required
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html
  • mozilla.org https://www.mozilla.org/security/advisories/mfsa2025-01/
    Vendor Advisory
  • mozilla.org https://www.mozilla.org/security/advisories/mfsa2025-02/
    Vendor Advisory
  • mozilla.org https://www.mozilla.org/security/advisories/mfsa2025-04/
    Vendor Advisory
  • mozilla.org https://www.mozilla.org/security/advisories/mfsa2025-05/
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.