CVE-2025-8033: 
NixOS vulnerability analysis and mitigation

CVE-2025-8033 is a vulnerability in the JavaScript engine of Mozilla products discovered in July 2025. The vulnerability affects multiple versions of Firefox (< 141, ESR < 115.26, ESR < 128.13, ESR < 140.1) and Thunderbird (< 141, < 128.13, < 140.1). The issue was reported by security researcher Shaheen Fazim (Mozilla Advisory).

The vulnerability stems from incorrect handling of closed generators in the JavaScript engine, which could lead to a null pointer dereference. The issue has been classified as CWE-476 (NULL Pointer Dereference) with a CVSS v3.1 base score of 6.5 (Medium), using the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The vulnerability has been assessed with a low impact rating by Mozilla. While the vulnerability could lead to a null pointer dereference, its exploitation potential appears limited. In Thunderbird specifically, the risk is further mitigated as scripting is disabled when reading mail, though it remains a potential risk in browser-like contexts (Mozilla Advisory).

Mozilla has addressed this vulnerability in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. Users are advised to update to these or later versions to mitigate the vulnerability (Mozilla Advisory).