CVE-2025-13026: 
NixOS vulnerability analysis and mitigation

CVE-2025-13026 is a high-severity vulnerability discovered in Mozilla Firefox and Thunderbird affecting versions prior to 145. The vulnerability was reported by Jamie Nicol and disclosed on November 11, 2025. It involves a sandbox escape vulnerability due to incorrect boundary conditions in the Graphics: WebGPU component (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability. The vulnerability is classified under CWE-703 (Improper Check or Handling of Exceptional Conditions) (NVD).

The vulnerability allows for sandbox escape in the Graphics: WebGPU component, which could potentially allow attackers to break out of the browser's security sandbox. Given the CVSS score of 9.8, successful exploitation could lead to complete compromise of system confidentiality, integrity, and availability (CISA-ADP).

The vulnerability has been fixed in Firefox 145 and Thunderbird 145. Users are strongly advised to upgrade to these versions or later to mitigate the risk. For Thunderbird users, it's worth noting that the risk is somewhat reduced as scripting is disabled by default when reading mail, though the vulnerability remains a potential risk in browser-like contexts (Mozilla Advisory, Thunderbird Advisory).