CVE-2025-10528: 
NixOS vulnerability analysis and mitigation

CVE-2025-10528 is a high-severity vulnerability affecting Mozilla Firefox versions prior to 143, Firefox ESR versions prior to 140.3, Thunderbird versions prior to 143, and Thunderbird ESR versions prior to 140.3. The vulnerability was discovered by security researcher Oskar L and publicly disclosed on September 16, 2025. It involves a sandbox escape due to undefined behavior and invalid pointer in the Graphics: Canvas2D component (Mozilla Advisory).

The vulnerability is classified as a protection mechanism failure (CWE-693) with a CVSS v3.1 base score of 7.3 (High), indicating remote attack vector with low attack complexity and no privileges required. The vulnerability vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, suggesting network accessibility, low complexity, and impacts to confidentiality, integrity, and availability (NVD).

The vulnerability allows for sandbox escape through undefined behavior and invalid pointer manipulation in the Graphics: Canvas2D component. In Thunderbird, while these flaws cannot be exploited through email due to disabled scripting when reading mail, they present potential risks in browser or browser-like contexts (Mozilla Advisory).

Users are advised to update to Firefox version 143, Firefox ESR version 140.3, Thunderbird version 143, or Thunderbird ESR version 140.3 as appropriate. These versions contain the necessary security fixes to address the vulnerability (Mozilla Advisory, Mozilla Advisory).