CVE-2025-1010
Published: 04 February 2025
Summary
CVE-2025-1010 is a high-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 43.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires organizations to identify, report, and correct software flaws like the use-after-free vulnerability in CVE-2025-1010 through timely patching to the fixed Firefox and Thunderbird versions.
Implements memory protections explicitly designed to counter use-after-free errors, such as those exploited in the Custom Highlight API of CVE-2025-1010.
Enables periodic vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2025-1010.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in browser Custom Highlight API enables drive-by compromise via malicious webpage and client-side exploitation for arbitrary code execution.
NVD Description
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Deeper analysisAI
CVE-2025-1010 is a use-after-free vulnerability (CWE-416) in the Custom Highlight API of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 135, Firefox ESR prior to 115.20 and 128.7, Thunderbird prior to 128.7 and 135. The issue allows an attacker to trigger memory corruption, resulting in a potentially exploitable crash, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker can exploit this vulnerability by tricking a user into interacting with malicious content, such as visiting a crafted webpage, due to the requirement for user interaction (UI:R) and no privileges (PR:N). Successful exploitation could lead to high-impact confidentiality, integrity, and availability violations, potentially enabling arbitrary code execution or other severe outcomes from the memory corruption.
Mozilla's security advisories (MFSA 2025-07 through 2025-10) and the associated Bugzilla entry (1936982) confirm the vulnerability was addressed in the specified fixed releases. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to the patched versions to mitigate the risk.
Details
- CWE(s)