CVE-2023-25729: 
NixOS vulnerability analysis and mitigation

CVE-2023-25729 is a security vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that affects versions prior to Firefox 110, Firefox ESR 102.8, and Thunderbird 102.8. The vulnerability was reported by Vitor Torres and disclosed in February 2023. The issue stems from permission prompts for opening external schemes only being shown for ContentPrincipals, which allowed extensions to open them without user interaction via ExpandedPrincipals (Mozilla Advisory).

The vulnerability occurs when extensions attempt to open external protocol handlers without proper user permission prompts. The issue specifically relates to how permission checks were handled for ExpandedPrincipals versus ContentPrincipals in the browser's security model. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to malicious actions such as unauthorized downloading of files or interaction with software already installed on the system. This could potentially result in privilege escalation or execution of arbitrary code on the affected system through protocol handler abuse (Mozilla Advisory, Bugzilla).

The vulnerability was fixed in Firefox 110, Firefox ESR 102.8, and Thunderbird 102.8. Users should update their installations to these versions or newer to receive the security fix. The fix involves implementing proper permission prompts for extensions when attempting to open external schemes (Mozilla Advisory).