CVE-2025-13019: 
NixOS vulnerability analysis and mitigation

A same-origin policy bypass vulnerability was discovered in the DOM: Workers component affecting multiple Mozilla products. The vulnerability (CVE-2025-13019) impacts Firefox versions before 145, Firefox ESR versions before 140.5, Thunderbird versions before 145, and Thunderbird versions before 140.5. The issue was publicly disclosed on November 11, 2025 (NVD, Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, with high impacts on confidentiality and integrity, but no impact on availability (Ubuntu).

The vulnerability allows for a same-origin policy bypass in the DOM Workers component, potentially enabling attackers to access and modify data across different origins. The impact is rated as moderate by Mozilla, though the CVSS score indicates high potential impact on both confidentiality and integrity of affected systems (Mozilla Advisory).

Mozilla has released security updates to address this vulnerability. Users should upgrade to Firefox 145, Firefox ESR 140.5, Thunderbird 145, or Thunderbird 140.5 as appropriate. The fixes have been incorporated into these versions to prevent same-origin policy bypasses in the DOM Workers component (Mozilla Advisory, Mozilla ESR Advisory).