CVE-2025-13024: 
NixOS vulnerability analysis and mitigation

CVE-2025-13024 is a high-impact vulnerability discovered in the JavaScript Engine's JIT component affecting Firefox versions below 145 and Thunderbird versions below 145. The vulnerability was reported by Project KillFuzz of Qrious Secure and was publicly disclosed on November 11, 2025 (Mozilla Advisory).

The vulnerability is classified as a JIT miscompilation issue in the JavaScript Engine's JIT component. It has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability is associated with CWE-733 (Compiler Optimization Removal or Modification of Security-critical Code) (NVD).

The vulnerability has been assessed as having a high impact on affected systems. Given the CVSS score and vector, successful exploitation could lead to complete compromise of system confidentiality, integrity, and availability. The critical severity rating suggests potential for significant security implications if exploited (CISA-ADP).

The vulnerability has been fixed in Firefox 145 and Thunderbird 145. Users of affected versions should upgrade to these latest releases to mitigate the risk. For Thunderbird specifically, it's noted that the vulnerability cannot be exploited through email alone as scripting is disabled when reading mail, but remains a risk in browser-like contexts (Mozilla Advisory).