CVE-2025-10529: 
NixOS vulnerability analysis and mitigation

CVE-2025-10529 is a same-origin policy bypass vulnerability discovered in the Layout component affecting multiple Mozilla products. The vulnerability was identified in Firefox versions prior to 143, Firefox ESR versions before 140.3, Thunderbird versions before 143, and Thunderbird ESR versions prior to 140.3. The vulnerability was disclosed on September 16, 2025, and was reported by security researcher Daniel Holbert (Mozilla Advisory).

The vulnerability has been classified as having a moderate severity impact with a CVSS v3.1 base score of 6.5 (MEDIUM). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, and requires no user interaction (NVD).

The vulnerability allows for a same-origin policy bypass in the Layout component, which could potentially lead to unauthorized access to cross-origin resources. In Thunderbird, while the impact is rated as moderate, these flaws cannot be exploited through email as scripting is disabled when reading mail, but they remain potential risks in browser or browser-like contexts (Mozilla Advisory).

Mozilla has addressed this vulnerability in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird ESR 140.3. Users are advised to update to these versions or later to mitigate the security risk. Red Hat has also released security updates for affected products through RHSA-2025:16589 (Red Hat Advisory).