CVE-2025-1009

Critical

Published: 04 February 2025

Published

04 February 2025

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0080 74.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1009 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 25.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching of known flaws like CVE-2025-1009 by upgrading to fixed Firefox and Thunderbird versions, comprehensively eliminating the use-after-free vulnerability.

SI-16 Memory Protection partial match

prevent

Implements memory protection safeguards such as ASLR and DEP to mitigate exploitation of the use-after-free in XSLT processing, preventing arbitrary code execution despite the flaw.

RA-5 Vulnerability Monitoring and Scanning partial match

preventdetect

Enables vulnerability scanning to identify systems with vulnerable Firefox/Thunderbird versions affected by CVE-2025-1009, supporting targeted remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Use-after-free in XSLT processing enables remote arbitrary code execution via malicious webpage (drive-by) or document without auth/UI, directly mapping to client-side exploitation and user execution vectors.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

Deeper analysisAI

CVE-2025-1009 is a use-after-free vulnerability (CWE-416) in the processing of crafted XSLT data, which could lead to a potentially exploitable crash. It affects Mozilla Firefox versions prior to 135, Firefox ESR prior to 115.20 and 128.7, Thunderbird prior to 128.7 and 135. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impact on confidentiality, integrity, and availability.

Any remote attacker can exploit this vulnerability without privileges or user interaction by tricking a target into processing malicious XSLT data, such as via a malicious webpage or document. Successful exploitation could result in arbitrary code execution, data theft, or denial of service, as the use-after-free may allow memory corruption leading beyond a mere crash.

Mozilla's security advisories (MFSA 2025-07 through 2025-10) and Bugzilla entry 1936613 detail the fix, recommending immediate upgrades to Firefox 135, Firefox ESR 115.20 or 128.7, Thunderbird 128.7 or 135. No workarounds are specified beyond applying the patches.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 115.20.0 · ≤ 135.0 · 128.1.0 — 128.7.0

mozilla

thunderbird

128.0.1 — 128.7.0 · 131.0 — 135.0

CVEs Like This One

CVE-2026-2758Same product: Mozilla Firefox

CVE-2026-2770Same product: Mozilla Firefox

CVE-2026-2764Same product: Mozilla Firefox

CVE-2026-2797Same product: Mozilla Firefox

CVE-2026-2798Same product: Mozilla Firefox

CVE-2026-2772Same product: Mozilla Firefox

CVE-2026-2786Same product: Mozilla Firefox

CVE-2026-2795Same product: Mozilla Firefox

CVE-2026-2766Same product: Mozilla Firefox

CVE-2026-2799Same product: Mozilla Firefox

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1936613
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-07/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-08/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-09/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-10/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-11/
Vendor Advisory · security@mozilla.org
https://lists.debian.org/debian-lts-announce/2025/02/msg00005.html
af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html
af854a3a-2127-422b-91ae-364da2661108