CVE-2025-1012

High

Published: 04 February 2025

Published

04 February 2025

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0043 62.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1012 is a high-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 37.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and patching of known flaws like this use-after-free vulnerability fixed in updated Firefox and Thunderbird versions.

SI-16 Memory Protection good match

prevent

Enforces memory safeguards such as ASLR and DEP that prevent unauthorized code execution from use-after-free exploits during concurrent delazification.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify systems running vulnerable Firefox or Thunderbird versions affected by this CVE prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

Browser engine RCE via use-after-free enables drive-by compromise (T1189) and client-side exploitation (T1203) triggered by malicious link/user interaction (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A race during concurrent delazification could have led to a use-after-free. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

Deeper analysisAI

CVE-2025-1012 is a use-after-free vulnerability (CWE-416) caused by a race condition during concurrent delazification in Mozilla Firefox and Thunderbird. The flaw affects versions of Firefox prior to 135, Firefox ESR prior to 115.20 and 128.7, Thunderbird prior to 128.7 and 135. It was publicly disclosed on 2025-02-04 and carries a CVSS v3.1 base score of 7.5.

The vulnerability can be exploited remotely over the network (AV:N) by attackers requiring no privileges (PR:N), though exploitation demands high complexity (AC:H) and user interaction (UI:R), with no change in scope (S:U). Successful attacks could achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling arbitrary code execution or memory corruption in the browser context.

Mozilla's security advisories (MFSA2025-07, MFSA2025-08, MFSA2025-09, and MFSA2025-10), along with Bugzilla entry 1939710, confirm the issue was addressed in the specified fixed releases. Mitigation involves updating affected Firefox and Thunderbird installations to the patched versions as soon as possible.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 115.20.0 · ≤ 135.0 · 128.1.0 — 128.7.0

mozilla

thunderbird

≤ 135.0 · 128.0.1 — 128.7.0

CVEs Like This One

CVE-2026-2758Same product: Mozilla Firefox

CVE-2026-2770Same product: Mozilla Firefox

CVE-2026-2764Same product: Mozilla Firefox

CVE-2026-2797Same product: Mozilla Firefox

CVE-2026-2798Same product: Mozilla Firefox

CVE-2026-2772Same product: Mozilla Firefox

CVE-2026-2786Same product: Mozilla Firefox

CVE-2026-2795Same product: Mozilla Firefox

CVE-2026-2766Same product: Mozilla Firefox

CVE-2026-2799Same product: Mozilla Firefox

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1939710
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-07/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-08/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-09/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-10/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-11/
Vendor Advisory · security@mozilla.org
https://lists.debian.org/debian-lts-announce/2025/02/msg00005.html
af854a3a-2127-422b-91ae-364da2661108
https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html
af854a3a-2127-422b-91ae-364da2661108