CVE-2025-1010: 
NixOS vulnerability analysis and mitigation

A high-severity use-after-free vulnerability (CVE-2025-1010) was discovered in Mozilla products, affecting Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. The vulnerability was discovered by security researcher Atte Kettunen and disclosed on February 4, 2025 (Mozilla Advisory).

The vulnerability is a use-after-free condition that occurs via the Custom Highlight API, which could lead to a potentially exploitable crash. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while CISA-ADP rated it as CRITICAL with a score of 9.8. The vulnerability is classified as CWE-416 (Use After Free) (NVD).

The vulnerability could potentially allow an attacker to execute arbitrary code through memory corruption. The high CVSS scores indicate that successful exploitation could lead to significant impacts on confidentiality, integrity, and availability of the affected systems (Red Hat).

Mozilla has released security updates to address this vulnerability. Users should upgrade to Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, or Thunderbird 135, depending on their product version (Mozilla Advisory).