Description
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
Published: 2025-11-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via DOM mitigation bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a mitigation bypass in the DOM's security component, allowing an attacker to inject malicious script into pages rendered by Firefox or Thunderbird. Because the validation logic is circumvented, the injected JavaScript runs in the context of the victim’s browser, giving the attacker the ability to hijack or alter data, perform click‑jacking, or execute arbitrary code (CWE‑79).

Affected Systems

Mozilla Firefox versions before 145 and Firefox ESR before 140.5, as well as Mozilla Thunderbird versions before 145 and Thunderbird ESR before 140.5 are affected. These are the mainstream and extended‑support editions widely used on consumer and enterprise systems.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity, but the EPSS score is below 1 %, meaning the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger it by delivering a malicious web page or email that leverages the DOM; no elevated privileges or network access are required, and the exploitation is local to the user’s browser.

Generated by OpenCVE AI on April 20, 2026 at 19:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 145 or later or Firefox ESR 140.5 or later; upgrade Thunderbird 145 or later or Thunderbird ESR 140.5 or later
  • In environments where updating immediately is not possible, consider disabling or restricting DOM content injection in user‑configured policies or sandboxing the affected applications
  • Regularly review Mozilla security advisories and apply patches as soon as they become available

Generated by OpenCVE AI on April 20, 2026 at 19:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4370-1 firefox-esr security update
Debian DLA Debian DLA DLA-4372-1 thunderbird security update
Debian DSA Debian DSA DSA-6054-1 firefox-esr security update
Debian DSA Debian DSA DSA-6059-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-288
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Mitigation bypass in the DOM: Security component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5.
Title Mitigation bypass in the DOM: Security component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:30.229Z

Reserved: 2025-11-11T15:12:17.945Z

Link: CVE-2025-13018

cve-icon Vulnrichment

Updated: 2025-11-12T15:12:42.970Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:38.900

Modified: 2026-04-13T15:16:43.020

Link: CVE-2025-13018

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-11-11T15:47:16Z

Links: CVE-2025-13018 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses