CVE-2025-1013: 
NixOS vulnerability analysis and mitigation

CVE-2025-1013 is a privacy-related vulnerability discovered in Mozilla Firefox and Thunderbird browsers. The vulnerability was disclosed on February 4, 2025, and affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135. The issue involves a race condition that could potentially lead to private browsing tabs being opened in normal browsing windows (Mozilla Advisory, NVD).

The vulnerability is classified as a race condition (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization). It has been assigned a CVSS v3.1 base score of 6.5 (Medium) by CISA-ADP with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. Red Hat has assigned a lower CVSS score of 4.3 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (Red Hat CVE).

The primary impact of this vulnerability is a potential privacy leak. If exploited, the race condition could cause private browsing tabs to be opened in normal browsing windows, potentially exposing private browsing data to the regular browsing session. Mozilla has classified this vulnerability as having a 'low' impact rating (Mozilla Advisory).

The vulnerability has been patched in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135. Users are advised to update their browsers to these versions or later to mitigate the risk. The fix has been distributed through multiple channels including Red Hat Enterprise Linux and Debian systems (Red Hat Advisory, Debian Security).