CVE-2025-13013: 
NixOS vulnerability analysis and mitigation

CVE-2025-13013 is a mitigation bypass vulnerability discovered in the DOM: Core & HTML component, affecting multiple Mozilla products. The vulnerability was reported by Masato Kinugawa and disclosed on November 11, 2025. The affected products include Firefox versions before 145, Firefox ESR versions before 140.5 and 115.30, Thunderbird versions before 145, and Thunderbird versions before 140.5 (Mozilla Advisory, NVD).

The vulnerability has been assessed with a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. It has been classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD).

The vulnerability is rated as having a moderate impact on affected systems. In Thunderbird specifically, these flaws cannot be exploited through email as scripting is disabled when reading mail, but they remain potential risks in browser or browser-like contexts (Mozilla Advisory).

Mozilla has released security updates to address this vulnerability. Users should upgrade to Firefox 145.0, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145.0, or Thunderbird 140.5, depending on their product version (Mozilla Advisory, Mozilla Advisory, Mozilla Advisory).