CVE-2025-1009: 
NixOS vulnerability analysis and mitigation

CVE-2025-1009 is a high-severity use-after-free vulnerability discovered in Mozilla products. The vulnerability was disclosed on February 4, 2025, and affects multiple versions of Firefox and Thunderbird browsers. Specifically, it impacts Firefox versions before 135, Firefox ESR versions before 115.20 and 128.7, and Thunderbird versions before 128.7 and 135. The vulnerability was discovered by Ivan Fratric of Google Project Zero (Mozilla Advisory).

The vulnerability is a use-after-free condition that can be triggered via crafted XSLT data, potentially leading to an exploitable crash. It has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD). The vulnerability is classified as CWE-416 (Use After Free) (Red Hat).

The vulnerability poses a critical security risk as it could allow an attacker to potentially execute arbitrary code through memory corruption. In Thunderbird, while the vulnerability is inherited from the Firefox codebase, it is generally not exploitable through email as scripting is disabled when reading mail. However, it may pose a risk in other features that display remote web content (Mozilla Advisory).

Mozilla has released fixes for all affected products. Users should upgrade to Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, or Thunderbird 135, depending on their product version (NVD).