Description
Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
Published: 2025-11-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via DOM mitigation bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability permits an attacker to bypass built‑in DOM mitigations, allowing injection of malicious scripts into web content understood by Firefox or Thunderbird. This bypass is triggered by malformed HTML or JavaScript that is otherwise sanitized, giving an attacker the ability to execute arbitrary code within the context of the application. The weakness is captured by CWE-79 and CWE-288, indicating improper input validation leading to cross‑site scripting and potential denial of service.

Affected Systems

The flaw affects Mozilla Firefox and Mozilla Thunderbird across both the main releases and ESR streams. Versions fixed in the vendor advisories are Firefox 145, ESR 140.5, ESR 115.30 and Thunderbird 145, Thunderbird 140.5. The data does not list the earliest affected releases, so any older build may be vulnerable; it is recommended to target installations below those versions for patching.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity. The EPSS score of less than 1% suggests a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a malicious web page or web application that the user visits, where the bypass allows the injected payload to run. The impact extends to confidentiality, integrity, and availability of the compromised system if the attacker carries out privilege escalation scripts or Post‑Message attacks.

Generated by OpenCVE AI on April 20, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 145 or later (or ESR 140.5 or ESR 115.30 for ESR users).
  • Upgrade Mozilla Thunderbird to version 145 or later (or ESR 140.5 for ESR users).
  • If upgrading is not immediately possible, restrict potentially malicious content via a stricter content security policy or site isolation where supported.

Generated by OpenCVE AI on April 20, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4370-1 firefox-esr security update
Debian DLA Debian DLA DLA-4372-1 thunderbird security update
Debian DSA Debian DSA DSA-6054-1 firefox-esr security update
Debian DSA Debian DSA DSA-6059-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. Mitigation bypass in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*

Thu, 13 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-288
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Core & HTML component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30.
Title Mitigation bypass in the DOM: Core & HTML component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:34.039Z

Reserved: 2025-11-11T15:12:05.806Z

Link: CVE-2025-13013

cve-icon Vulnrichment

Updated: 2025-11-13T15:36:18.768Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:38.367

Modified: 2026-04-13T15:16:42.123

Link: CVE-2025-13013

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-11-11T15:47:11Z

Links: CVE-2025-13013 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses