CVE-2025-10530: 
NixOS vulnerability analysis and mitigation

CVE-2025-10530 is a spoofing vulnerability discovered in the WebAuthn component specifically affecting Firefox for Android and Thunderbird versions prior to 143. The vulnerability was disclosed on September 16, 2025, and was reported by security researchers Hafiizh & Kang Ali (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, has unchanged scope, and can result in low impact to both confidentiality and integrity, with no impact on availability. The vulnerability has been classified as CWE-290 (Authentication Bypass by Spoofing) (NVD).

The vulnerability poses a moderate security risk, potentially allowing attackers to perform spoofing attacks through the WebAuthn component in Firefox for Android. The impact assessment indicates potential compromise of both confidentiality and integrity at a low level, though no availability impact has been identified (CISA-ADP).

The vulnerability has been patched in Firefox version 143 and Thunderbird version 143. Users are advised to update their installations to these versions or later to mitigate the risk. The fix has been included in the security updates released by Mozilla (Mozilla Advisory, Mozilla Advisory).