CVE-2025-49709: 
NixOS vulnerability analysis and mitigation

CVE-2025-49709 is a high-impact security vulnerability affecting Mozilla Firefox versions prior to 139.0.4. The vulnerability was discovered by Yannis Juglaret and Steven Michaud, and was publicly disclosed on June 10, 2025. The issue specifically affects canvas operations in Firefox that could lead to memory corruption (Mozilla Advisory, CVE).

The vulnerability is classified as CWE-787 (Out-of-bounds Write) and has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability's critical CVSS score of 9.8 indicates severe potential impacts. As a memory corruption issue in canvas operations, successful exploitation could lead to arbitrary code execution, system crashes, or other forms of memory manipulation that could compromise the security of the affected system (Mozilla Advisory).

Mozilla has addressed this vulnerability in Firefox version 139.0.4. Users are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been published (Mozilla Advisory).