CVE-2025-1011 - Vulnerability Details

- A bug in WebAssembly code generation could result in a crash

Description

A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

Published: 2025-02-04

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A bug was discovered in the WebAssembly code generation engine that could cause a crash. The flaw can be exploited by an attacker to execute arbitrary code, compromising the integrity and confidentiality of the system. The weakness manifests as a buffer or code injection error (CWE‑119, CWE‑94) in the way WebAssembly modules are compiled and executed. Accordingly, the impact is potential remote code execution in a user’s process context, which could lead to full system compromise if the application runs with elevated privileges.

Affected Systems

The affected software includes Mozilla Firefox (all releases prior to 135 and ESR 128.7) and Mozilla Thunderbird (all releases prior to 135 and ESR 128.7). Any system running these browsers that has not yet applied the vendor’s update is vulnerable.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity, yet the EPSS score is below 1%, implying a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a malicious WebAssembly module served to a user’s browser, so targeting users who visit compromised web pages or load untrusted modules. Although exploit availability is low, the high potential impact warrants urgent attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`128.7`	unaffected	≤ 128.*
`135`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`128.7`	unaffected	≤ 128.*
`135`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::esr:::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.7.0-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:1132	2025-02-06T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:128.7.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:1283	2025-02-11T00:00:00Z
thunderbird-0:128.7.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:1292	2025-02-11T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
firefox-0:128.7.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:1133	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:1348	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
firefox-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:1135	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:1339	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
firefox-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:1135	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:1339	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
firefox-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:1135	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:1339	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
firefox-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:1136	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:1341	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
firefox-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:1136	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:1341	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
firefox-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:1136	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:1341	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
firefox-0:128.7.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:1137	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:1340	2025-02-12T00:00:00Z
Red Hat Enterprise Linux 9
firefox-0:128.7.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:1066	2025-02-05T00:00:00Z
thunderbird-0:128.7.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:1184	2025-02-10T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
firefox-0:128.7.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:1138	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:1319	2025-02-11T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
firefox-0:128.7.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:1139	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:1317	2025-02-11T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
firefox-0:128.7.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:1140	2025-02-06T00:00:00Z
thunderbird-0:128.7.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:1318	2025-02-11T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Mozilla Firefox to version 135 or newer, or to ESR 128.7 or newer.
Upgrade Mozilla Thunderbird to version 135 or newer, or to ESR 128.7 or newer.
Apply the latest security updates from your operating system’s package manager for all installed Mozilla products to ensure the patch is in place.

Generated by OpenCVE AI on April 20, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4044-1	firefox-esr security update
Debian DLA	DLA-4045-1	thunderbird security update
Debian DSA	DSA-5858-1	firefox-esr security update
Debian DSA	DSA-5860-1	thunderbird security update
EUVD	EUVD-2025-1966	A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135.
Ubuntu USN	USN-7263-1	Firefox vulnerabilities
Ubuntu USN	USN-7663-1	Thunderbird vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0022.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1936454
https://lists.debian.org/debian-lts-announce/2025/02/msg00005.html
https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html
https://nvd.nist.gov/vuln/detail/CVE-2025-1011
https://www.cve.org/CVERecord?id=CVE-2025-1011
https://www.mozilla.org/security/advisories/mfsa2025-07/
https://www.mozilla.org/security/advisories/mfsa2025-09/
https://www.mozilla.org/security/advisories/mfsa2025-10/
https://www.mozilla.org/security/advisories/mfsa2025-11/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135.	A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Title	firefox: thunderbird: A bug in WebAssembly code generation could result in a crash	A bug in WebAssembly code generation could result in a crash

Mon, 03 Nov 2025 21:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/02/msg00005.html https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00074}`	epss `{'score': 0.00104}`

Thu, 13 Feb 2025 01:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Fri, 07 Feb 2025 14:30:00 +0000

Type	Values Removed	Values Added
Title		firefox: thunderbird: A bug in WebAssembly code generation could result in a crash
First Time appeared		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
Weaknesses		CWE-119
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6 cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
References		https://nvd.nist.gov/vuln/detail/CVE-2025-1011 https://www.cve.org/CVERecord?id=CVE-2025-1011
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 06 Feb 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird:::::-:::* cpe:2.3:a:mozilla:thunderbird:::::esr:::*
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird

Wed, 05 Feb 2025 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 04 Feb 2025 14:15:00 +0000

Type	Values Removed	Values Added
Description		A bug in WebAssembly code generation could have lead to a crash. It may have been possible for an attacker to leverage this to achieve code execution. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1936454 https://www.mozilla.org/security/advisories/mfsa2025-07/ https://www.mozilla.org/security/advisories/mfsa2025-09/ https://www.mozilla.org/security/advisories/mfsa2025-10/ https://www.mozilla.org/security/advisories/mfsa2025-11/

Subscriptions

Mozilla Firefox Thunderbird

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-02-04T13:58:53.239Z

Updated: 2026-04-13T14:25:12.907Z

Reserved: 2025-02-04T07:26:29.564Z

Link: CVE-2025-1011

Vulnrichment

Updated: 2025-11-03T20:56:51.660Z

NVD

Status : Modified

Published: 2025-02-04T14:15:31.887

Modified: 2026-04-13T15:16:49.467

Link: CVE-2025-1011

Redhat

Severity : Moderate

Publid Date: 2025-02-04T13:58:53Z

Links: CVE-2025-1011 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object