Cyber Resilience

CVE-2025-1010

High

Published: 04 February 2025

Published
04 February 2025
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0034 57.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1010 is a high-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 42.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1010 is a use-after-free vulnerability (CWE-416) in the Custom Highlight API of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 135, Firefox ESR prior to 115.20 and 128.7, Thunderbird prior to 128.7 and 135. The issue allows an attacker to trigger memory corruption, resulting in a potentially exploitable crash, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker can exploit this vulnerability by tricking a user into interacting with malicious content, such as visiting a crafted webpage, due to the requirement for user interaction (UI:R) and no privileges (PR:N). Successful exploitation could lead to high-impact confidentiality, integrity, and availability violations, potentially enabling arbitrary code execution or other severe outcomes from the memory corruption.

Mozilla's security advisories (MFSA 2025-07 through 2025-10) and the associated Bugzilla entry (1936982) confirm the vulnerability was addressed in the specified fixed releases. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to the patched versions to mitigate the risk.

EU & UK References

Vulnerability details

An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free in browser Custom Highlight API enables drive-by compromise via malicious webpage and client-side exploitation for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8090Same product: Mozilla Firefox
CVE-2026-2769Same product: Mozilla Firefox
CVE-2026-0882Same product: Mozilla Firefox
CVE-2026-2758Same product: Mozilla Firefox
CVE-2026-2770Same product: Mozilla Firefox
CVE-2026-2764Same product: Mozilla Firefox
CVE-2026-2766Same product: Mozilla Firefox
CVE-2026-2797Same product: Mozilla Firefox
CVE-2026-2772Same product: Mozilla Firefox
CVE-2026-2798Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 115.20.0 · ≤ 135.0 · 128.1.0 — 128.7.0
mozilla
thunderbird
128.0.1 — 128.7.0 · 131.0 — 135.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires organizations to identify, report, and correct software flaws like the use-after-free vulnerability in CVE-2025-1010 through timely patching to the fixed Firefox and Thunderbird versions.

prevent

Implements memory protections explicitly designed to counter use-after-free errors, such as those exploited in the Custom Highlight API of CVE-2025-1010.

detect

Enables periodic vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2025-1010.

References