Description
Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
Published: 2025-01-07
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free leading to possible crash or memory corruption
Action: Apply Patch
AI Analysis

Impact

A JavaScript module that contains JSON can trigger a cross‑compartment access flaw, which may cause a use‑after‑free in the parser. The flaw originates from an improper compartment mismatch handling and is classified as CWE‑416. The effect listed in the CVSS score of 4 indicates that the primary consequence is a program crash or unexpected memory corruption, rather than a direct remote code execution.

Affected Systems

The vulnerability affects Mozilla products, namely Firefox and Thunderbird. The security advisory states that the issue has been fixed in Firefox 134 and Firefox ESR 128.6, as well as in Thunderbird 134 and Thunderbird 128.6. No specific version list is supplied beyond the patched releases.

Risk and Exploitability

The EPSS score of less than 1% suggests a very low probability of exploitation, and the vulnerability is not currently listed in CISA’s KEV catalog. The CVSS score of 4 classifies it as low severity. Likely the attack vector requires a crafted JavaScript module delivered to the affected browser, so local or compromised conditions are implied. Because of the low score and limited exploitation probability, the overall risk is considered low, but the use‑after‑free can still be leveraged to crash the browser or potentially corrupt memory if combined with other weaknesses.

Generated by OpenCVE AI on April 20, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to at least version 134 or Firefox ESR 128.6, and upgrade Thunderbird to at least version 134 or Thunderbird 128.6. 
  • If an upgrade cannot be performed immediately, limit or disable the execution of JavaScript modules from untrusted or external sources in the browser settings or through policy configurations. 
  • Continuously monitor security advisories for any changes to the vulnerability status or additional workarounds and apply subsequent patches as they become available.

Generated by OpenCVE AI on April 20, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4011-1 firefox-esr security update
Debian DLA Debian DLA DLA-4012-1 thunderbird security update
Debian DSA Debian DSA DSA-5839-1 firefox-esr security update
Debian DSA Debian DSA DSA-5841-1 thunderbird security update
EUVD EUVD EUVD-2025-1572 Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.
Ubuntu USN Ubuntu USN USN-7191-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
Title firefox: Compartment mismatch when parsing JavaScript JSON module Compartment mismatch when parsing JavaScript JSON module

Mon, 03 Nov 2025 23:30:00 +0000

Type Values Removed Values Added
References

Thu, 03 Apr 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Thu, 13 Feb 2025 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.6

Tue, 04 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Description Parsing a JavaScript module as JSON could under some circumstances cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

Mon, 13 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Description Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird ESR < 128.6. Parsing a JavaScript module as JSON could under some circumstances cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

Thu, 09 Jan 2025 14:00:00 +0000

Type Values Removed Values Added
Title firefox: Compartment mismatch when parsing JavaScript JSON module
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_tus:8.4
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 09 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird ESR < 128.6.
References

Wed, 08 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Description Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:06.768Z

Reserved: 2025-01-06T14:49:06.842Z

Link: CVE-2025-0240

cve-icon Vulnrichment

Updated: 2025-11-03T22:33:40.588Z

cve-icon NVD

Status : Modified

Published: 2025-01-07T16:15:38.663

Modified: 2026-04-13T15:16:32.730

Link: CVE-2025-0240

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-07T16:07:06Z

Links: CVE-2025-0240 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses