CVE-2025-13020: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in the WebRTC: Audio/Video component affecting multiple Mozilla products. The vulnerability (CVE-2025-13020) impacts Firefox versions before 145, Firefox ESR versions before 140.5, Thunderbird versions before 145, and Thunderbird versions before 140.5. The vulnerability was reported by Andreas Pehrson and was publicly disclosed on November 11, 2025 (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, and successful exploitation could lead to high impacts on confidentiality, integrity, and availability (Ubuntu CVE).

The vulnerability could potentially allow attackers to execute arbitrary code on affected systems through memory corruption. In Thunderbird, these flaws cannot be exploited through email as scripting is disabled when reading mail, but they remain potential risks in browser or browser-like contexts (Mozilla Advisory).

Mozilla has released fixes for this vulnerability in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. Users are advised to update to these versions or later to mitigate the vulnerability (Mozilla Advisory, Mozilla Advisory).