CVE-2025-1017
Published: 04 February 2025
Summary
CVE-2025-1017 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of flaws like these memory safety bugs to prevent exploitation for arbitrary code execution.
Implements memory protection mechanisms such as ASLR and DEP that directly mitigate exploitation of memory corruption from out-of-bounds writes.
Enables scanning for known vulnerabilities like CVE-2025-1017 in deployed Firefox and Thunderbird versions to identify systems needing remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption (CWE-787) with evidence of arbitrary code execution in a client application (browser/email), directly enabling T1203 Exploitation for Client Execution with no user interaction required.
NVD Description
Memory safety bugs present in Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run…
more
arbitrary code. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Deeper analysisAI
CVE-2025-1017 is a set of memory safety bugs, classified under CWE-787 (Out-of-bounds Write), affecting Firefox 134, Thunderbird 134, Firefox ESR 128.6, and Thunderbird 128.6. These bugs exhibited evidence of memory corruption, which Mozilla presumes could be exploited with sufficient effort to achieve arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, no user interaction, and no change in scope. Successful exploitation could allow arbitrary code execution on affected systems, potentially leading to full compromise of the browser or email client.
Mozilla's security advisories (MFSA 2025-07, 09, 10, and 11) detail the fixes applied in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135. Security practitioners should prioritize updating to these patched versions, with additional details available in the referenced Bugzilla entries for the underlying bugs (1926256, 1935984, 1935471).
Details
- CWE(s)