CVE-2023-6205: 
NixOS vulnerability analysis and mitigation

CVE-2023-6205 is a high-severity use-after-free vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird. The vulnerability was reported by Yangkang of 360 ATA Team and affects Firefox versions before 120, Firefox ESR versions before 115.5.0, and Thunderbird versions before 115.5. The issue was disclosed on November 21, 2023, and received a CVSS v3.1 base score of 6.5 (Medium) (NVD, Mozilla Advisory).

The vulnerability occurs in the MessagePort::Entangled component where it was possible to cause the use of a MessagePort after it had already been freed. The issue stems from improper management of the MessagePort state machine and its lifecycle, particularly in scenarios involving worker shutdown and RTCRtpScriptTransform implementation (Mozilla Advisory).

If successfully exploited, this vulnerability could potentially lead to an exploitable crash of the application. The severity is rated as high due to the potential for arbitrary code execution through memory corruption (Mozilla Advisory, Debian Advisory).

The vulnerability has been patched in Firefox 120, Firefox ESR 115.5.0, and Thunderbird 115.5. Users are strongly advised to upgrade to these versions or later. The fix includes improvements to the MessagePort state machine and additional safeguards to ensure proper cleanup of the actor in the destructor (Mozilla Advisory, Mozilla Advisory ESR).