CVE-2025-1009 - Vulnerability Details

Description

An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

Published: 2025-02-04

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free flaw was found in the XSLT processing engine, allowing an attacker to supply crafted XSLT data that leads to a crash. The flaw is marked as CWE‑416 and could potentially be leveraged to achieve arbitrary code execution, compromising system confidentiality and integrity.

Affected Systems

Mozilla Firefox versions prior to 135, including Firefox ESR 115.20 and 128.7, and all Mozilla Thunderbird releases before 128.7 and 135 are affected. The same flaw may impact Red Hat Enterprise Linux deriving from packages that embed the vulnerable libraries, as indicated by several Red Hat CPE entries.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score of less than 1% implies low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to trigger the flaw by delivering a malicious XSLT file or URL that is processed by the victim’s browser or email client, making the most probable vector user interaction with crafted content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`115.20`	unaffected	≤ 115.*
`128.7`	unaffected	≤ 128.*
`135`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`128.7`	unaffected	≤ 128.*
`135`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird:::::-:::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.7.0-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:1132	2025-02-06T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:128.7.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:1283	2025-02-11T00:00:00Z
thunderbird-0:128.7.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:1292	2025-02-11T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
firefox-0:128.7.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:1133	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:1348	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
firefox-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:1135	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:1339	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
firefox-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:1135	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:1339	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
firefox-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:1135	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:1339	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
firefox-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:1136	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:1341	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
firefox-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:1136	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:1341	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
firefox-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:1136	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:1341	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
firefox-0:128.7.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:1137	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:1340	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 9
firefox-0:128.7.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:1066	2025-02-05T00:00:00Z
thunderbird-0:128.7.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:1184	2025-02-10T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
firefox-0:128.7.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:1138	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:1319	2025-02-11T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
firefox-0:128.7.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:1139	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:1317	2025-02-11T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
firefox-0:128.7.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:1140	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:1318	2025-02-11T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Firefox to 135 or later, including ESR 115.20 and ESR 128.7.
Upgrade Thunderbird to 128.7 or 135.
If upgrading immediately is not feasible, configure the browser to block or disable XSLT processing (for example, adjust the about:config setting for XSLT processing) to reduce risk.
Disable or remove any extensions or add‑ons that inject or manipulate XSLT content until an update is applied.

Generated by OpenCVE AI on April 20, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4044-1	firefox-esr security update
Debian DLA	DLA-4045-1	thunderbird security update
Debian DSA	DSA-5858-1	firefox-esr security update
Debian DSA	DSA-5860-1	thunderbird security update
EUVD	EUVD-2025-1964	An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135.
Ubuntu USN	USN-7263-1	Firefox vulnerabilities
Ubuntu USN	USN-7663-1	Thunderbird vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00822.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1936613
https://lists.debian.org/debian-lts-announce/2025/02/msg00005.html
https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html
https://nvd.nist.gov/vuln/detail/CVE-2025-1009
https://www.cve.org/CVERecord?id=CVE-2025-1009
https://www.mozilla.org/security/advisories/mfsa2025-07/
https://www.mozilla.org/security/advisories/mfsa2025-08/
https://www.mozilla.org/security/advisories/mfsa2025-09/
https://www.mozilla.org/security/advisories/mfsa2025-10/
https://www.mozilla.org/security/advisories/mfsa2025-11/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135.	An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Title	firefox: thunderbird: Use-after-free in XSLT	Use-after-free in XSLT

Thu, 26 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 03 Nov 2025 21:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/02/msg00005.html https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00196}`	epss `{'score': 0.00277}`

Thu, 13 Feb 2025 01:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Fri, 07 Feb 2025 14:30:00 +0000

Type	Values Removed	Values Added
Title		firefox: thunderbird: Use-after-free in XSLT
First Time appeared		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6 cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
References		https://nvd.nist.gov/vuln/detail/CVE-2025-1009 https://www.cve.org/CVERecord?id=CVE-2025-1009
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 06 Feb 2025 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird:::::-:::* cpe:2.3:a:mozilla:thunderbird:::::esr:::*
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird

Wed, 05 Feb 2025 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 04 Feb 2025 14:15:00 +0000

Type	Values Removed	Values Added
Description		An attacker could have caused a use-after-free via crafted XSLT data, leading to a potentially exploitable crash. This vulnerability affects Firefox < 135, Firefox ESR < 115.20, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1936613 https://www.mozilla.org/security/advisories/mfsa2025-07/ https://www.mozilla.org/security/advisories/mfsa2025-08/ https://www.mozilla.org/security/advisories/mfsa2025-09/ https://www.mozilla.org/security/advisories/mfsa2025-10/ https://www.mozilla.org/security/advisories/mfsa2025-11/

Subscriptions

Mozilla Firefox Thunderbird

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-02-04T13:58:51.928Z

Updated: 2026-04-13T14:25:07.080Z

Reserved: 2025-02-04T07:26:24.494Z

Link: CVE-2025-1009

Vulnrichment

Updated: 2025-11-03T20:56:46.086Z

NVD

Status : Modified

Published: 2025-02-04T14:15:31.653

Modified: 2026-04-13T15:16:47.983

Link: CVE-2025-1009

Redhat

Severity : Important

Publid Date: 2025-02-04T13:58:51Z

Links: CVE-2025-1009 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object