CVE-2025-4083: 
NixOS vulnerability analysis and mitigation

CVE-2025-4083 is a process isolation vulnerability discovered in Mozilla Firefox and Thunderbird that was disclosed on April 29, 2025. The vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10. The vulnerability was discovered by security researcher Nika Layzell (Mozilla Advisory, NVD).

The vulnerability stems from improper handling of javascript: URIs in the browser's process isolation mechanism. This implementation flaw could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 CRITICAL with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (Wiz).

The vulnerability has been rated as high impact by Mozilla. If successfully exploited, it could allow malicious content to bypass the browser's process isolation mechanisms and execute code in the context of the top-level document's process, effectively escaping the intended sandbox restrictions (Mozilla Advisory).

Mozilla has addressed this vulnerability in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird ESR 128.10. Users are advised to update their installations to these versions or newer to mitigate the risk (Mozilla Advisory).