CVE-2025-13018: 
NixOS vulnerability analysis and mitigation

A mitigation bypass vulnerability was discovered in the DOM Security component affecting multiple Mozilla products. The vulnerability (CVE-2025-13018) impacts Firefox versions before 145, Firefox ESR versions before 140.5, Thunderbird versions before 145, and Thunderbird ESR versions before 140.5. The issue was reported by Daniel Veditz and was publicly disclosed on November 11, 2025 (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, with potential high impacts on both confidentiality and integrity, while availability is not affected (Ubuntu).

The vulnerability has been classified as having a moderate impact on affected systems. When successfully exploited, it could lead to significant security implications due to the bypass of intended security mitigations in the DOM Security component. The high CVSS score particularly highlights potential impacts on system confidentiality and integrity (Mozilla Advisory).

Mozilla has addressed this vulnerability by releasing security updates. Users are advised to upgrade to Firefox version 145.0 or later, Firefox ESR version 140.5 or later, Thunderbird version 145.0 or later, or Thunderbird ESR version 140.5 or later. These updates are available through the standard update channels (Mozilla Advisory, Mozilla ESR Advisory).