CVE-2025-13027

Vulnerability

Overview

CVE-2025-13027 is a catch-all identifier for multiple memory safety bugs present in Firefox 144 and Thunderbird 144. The official description states that some of these bugs showed evidence of memory corruption, and with enough effort some could have been exploited to run arbitrary code. The advisory notes that these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts [1][2].

Exploitation

These vulnerabilities are memory safety bugs that could be triggered in browser or browser-like contexts. The advisory for Thunderbird notes that scripting is disabled when reading mail, so exploitation through email is not possible. However, in a full browser environment, an attacker could craft a web page or other content that triggers the memory corruption. The bugs were reported by multiple researchers, including Atte Kettunen, Irvan Kurniawan, Oskar L, Igor Morgenstern, and others, and are tracked in several Bugzilla bugs [1][2].

Impact

Successful exploitation could allow an attacker to run arbitrary code on the affected system. The severity is rated High with a CVSS v3 score of 8.1. The impact is similar to other memory corruption vulnerabilities in browser engines, potentially leading to full system compromise if exploited in a browser context [1][2].

Mitigation

Mozilla has fixed these vulnerabilities in Firefox 145 and Thunderbird 145. Users are strongly advised to update to these versions or later. No workarounds. No workarounds are mentioned; the only mitigation is to apply the updates [1][2].