CVE-2025-0240: 
NixOS vulnerability analysis and mitigation

CVE-2025-0240 is a security vulnerability discovered in Mozilla Firefox and Thunderbird browsers that was disclosed on January 7, 2025. The vulnerability affects Firefox versions below 134, Firefox ESR below 128.6, Thunderbird below 134, and Thunderbird below 128.6. The issue involves parsing JavaScript modules as JSON, which could lead to cross-compartment access issues (Mozilla Advisory).

The vulnerability is classified as a Use-After-Free (CWE-416) issue that occurs when parsing JavaScript modules as JSON. Under specific circumstances, this parsing operation could cause cross-compartment access, potentially resulting in a use-after-free condition. The vulnerability has been assigned a CVSS 3.1 Base Score of 4.0 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD, Red Hat).

The vulnerability could potentially lead to memory corruption and unauthorized cross-compartment access in affected browsers. While rated as moderate impact by Mozilla, the issue could result in a use-after-free condition which might be exploitable under certain circumstances (Mozilla Advisory).

The vulnerability has been fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6. Users are advised to upgrade to these versions or later to mitigate the risk. The fix has been backported to various supported versions across different distributions (Mozilla Advisory, Ubuntu).