CVE-2025-0239: 
NixOS vulnerability analysis and mitigation

CVE-2025-0239 is a security vulnerability discovered in Mozilla Firefox and Thunderbird that affects certificate validation. The vulnerability was disclosed on January 7, 2025, and impacts Firefox versions below 134, Firefox ESR below 128.6, Thunderbird below 134, and Thunderbird below 128.6. The issue was reported by security researcher Paul Gerste (Mozilla Advisory).

The vulnerability occurs when using Alt-Svc (Alternative Services) with ALPN (Application-Layer Protocol Negotiation), where the system fails to properly validate certificates in scenarios where the original server redirects to an insecure site. The vulnerability has been assigned a CVSS 3.1 base score of 4.0 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. It has been classified under CWE-295 (Improper Certificate Validation) (NVD).

The vulnerability could potentially allow attackers to bypass certificate validation when a server redirects to an insecure site, potentially compromising the security of encrypted communications. The issue has been rated as having a moderate impact by Mozilla (Mozilla Advisory, Red Hat).

The vulnerability has been patched in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird ESR 128.6. Users are advised to upgrade to these versions or later to mitigate the risk (Mozilla Advisory).