CVE-2025-3028: 
NixOS vulnerability analysis and mitigation

CVE-2025-3028 is a use-after-free vulnerability discovered in Mozilla products, reported by Ivan Fratric of Google Project Zero. The vulnerability was disclosed on April 1, 2025, affecting Firefox versions before 137, Firefox ESR versions before 115.22 and 128.9, and Thunderbird versions before 137 and 128.9. The issue occurs when JavaScript code runs while transforming a document with the XSLTProcessor (Mozilla Advisory).

The vulnerability is classified as a use-after-free (CWE-416) issue that occurs during document transformation using the XSLTProcessor. According to CISA's assessment, it has received a CVSS v3.1 base score of 6.5 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (NVD).

The vulnerability has been rated as having a high impact by Mozilla. When exploited, it could lead to memory corruption, potentially allowing attackers to execute arbitrary code on affected systems (Mozilla Advisory).

Mozilla has released fixes for all affected products. Users should upgrade to Firefox 137, Firefox ESR 115.22 or 128.9, and Thunderbird 137 or 128.9, depending on their version. These updates address the vulnerability along with other security issues (Mozilla Advisory).