CVE-2025-6424: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-6424) was discovered in the FontFaceSet component of Mozilla Firefox and Thunderbird. The vulnerability was disclosed on June 24, 2025, and affects Firefox versions prior to 140, Firefox ESR versions prior to 115.25 and 128.12, Thunderbird versions prior to 140, and Thunderbird versions prior to 128.12. The vulnerability was discovered by LJP and HexRabbit from the DEVCORE Research Team (Mozilla Advisory).

The vulnerability is classified as a use-after-free condition in the FontFaceSet component that could result in a potentially exploitable crash. The issue has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high-severity vulnerability with network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability could lead to a potentially exploitable crash of the affected applications. Given the CVSS score and vector string, successful exploitation could result in high impacts on confidentiality, integrity, and availability of the affected systems (CISA-ADP).

Mozilla has released security updates to address this vulnerability. Users should upgrade to Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, or Thunderbird 128.12, depending on their product version. For Thunderbird users, it's worth noting that the risk is minimized as scripting is disabled when reading mail, though the vulnerability could still be exploited in browser-like contexts (Mozilla Advisory).