CVE-2025-3031: 
NixOS vulnerability analysis and mitigation

CVE-2025-3031 is a security vulnerability discovered in Mozilla Firefox and Thunderbird versions prior to 137. The vulnerability was disclosed on April 1, 2025, and was reported by a security researcher known as 'anbu'. It affects the Just-In-Time (JIT) compiler component of these applications, allowing potential exposure of sensitive information (Mozilla Advisory, NVD).

The vulnerability is classified as a JIT optimization bug related to different stack slot sizes. Specifically, it allows an attacker to read 32 bits of values that were spilled onto the stack in a JIT-compiled function. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. It is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability has been rated as having a moderate impact. It potentially allows attackers to access sensitive information from the stack memory, which could lead to information disclosure. The vulnerability affects both Firefox and Thunderbird applications, potentially exposing users to information leakage attacks (Mozilla Advisory).

The vulnerability has been fixed in Firefox 137 and Thunderbird 137. Users are advised to update their applications to these versions or later to mitigate the risk. The fix has been implemented across all supported platforms (Mozilla Advisory, Ubuntu Security).