CVE-2025-5272: 
NixOS vulnerability analysis and mitigation

CVE-2025-5272 is a memory safety vulnerability discovered in Firefox 138 and Thunderbird 138, disclosed on May 27, 2025. The vulnerability was identified by the Mozilla Fuzzing Team and Andrew Osmond, affecting both Firefox and Thunderbird versions prior to 139. The issue has been assigned a CVSS v3.1 base score of 7.3 (HIGH) and is classified as CWE-787 (Out-of-bounds Write) (NVD, Mozilla Advisory).

The vulnerability is characterized as a memory safety bug that exhibits evidence of memory corruption. The technical assessment indicates potential exploitation paths that could lead to arbitrary code execution if sufficient effort is applied. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD, Wiz).

The vulnerability's impact is considered moderate, with the potential for attackers to execute arbitrary code through memory corruption exploitation. The security implications include possible unauthorized code execution on affected systems, though this would require significant effort to achieve (Mozilla Advisory, Wiz).

The vulnerability has been addressed in Firefox 139 and Thunderbird 139. Users are strongly advised to update to these latest versions to protect against potential exploitation. No alternative workarounds have been provided for users unable to immediately update (Mozilla Advisory).