CVE-2023-25742: 
NixOS vulnerability analysis and mitigation

CVE-2023-25742 is a vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that affects versions prior to Firefox 110, Firefox ESR 102.8, and Thunderbird 102.8. The vulnerability occurs when importing a SPKI RSA public key as ECDSA P-256, where the key would be handled incorrectly causing the browser tab to crash (Mozilla Advisory, NVD).

The vulnerability is related to the Web Crypto API implementation in Mozilla products. When attempting to import an SPKI RSA Public Key while specifying the key type as ECDSA P-256, the incorrect handling of the key type mismatch results in a tab crash instead of throwing an appropriate error or exception. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is a denial-of-service condition through tab crashes. While initially assessed with high severity out of caution, it was later categorized as having a low security impact. There was a slight possibility that it could potentially be exploited to read memory that wouldn't otherwise be accessible (Mozilla Bug).

The vulnerability was fixed in Firefox 110, Firefox ESR 102.8, and Thunderbird 102.8. Mozilla implemented a patch to check the decoded key type before using it, preventing the crash condition. Users are advised to upgrade to these versions or later to mitigate the vulnerability (Mozilla Advisory).