CVE-2025-1010: Use After Free
First published: Tue Feb 04 2025(Updated: )
An attacker could have caused a use-after-free via the Custom Highlight API, leading to a potentially exploitable crash.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | <135 | 135 |
| Mozilla Firefox ESR | <115.20 | 115.20 |
| Mozilla Thunderbird | <135 | 135 |
| <128.7 | 128.7 | |
| <128.7 | 128.7 | |
| Mozilla Firefox | <115.20.0 | |
| Mozilla Firefox | <135.0 | |
| Mozilla Firefox | >=128.1.0<128.7.0 | |
| Mozilla Thunderbird | >=128.0.1<128.7.0 | |
| Mozilla Thunderbird | >=131.0<135.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1936982
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-07/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-08/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-11/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-09/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/
- https://www.mozilla.org/security/advisories/mfsa2025-07/
- https://www.mozilla.org/security/advisories/mfsa2025-08/
- https://www.mozilla.org/security/advisories/mfsa2025-09/
- https://www.mozilla.org/security/advisories/mfsa2025-10/
- https://www.mozilla.org/security/advisories/mfsa2025-11/
- https://access.redhat.com/errata/RHSA-2025:1066
- https://access.redhat.com/errata/RHSA-2025:1133
- https://access.redhat.com/errata/RHSA-2025:1135
- https://access.redhat.com/errata/RHSA-2025:1138
- https://access.redhat.com/errata/RHSA-2025:1136
- https://access.redhat.com/errata/RHSA-2025:1132
- https://access.redhat.com/errata/RHSA-2025:1137
- https://access.redhat.com/errata/RHSA-2025:1139
- https://access.redhat.com/errata/RHSA-2025:1140
- https://bugzilla.redhat.com/show_bug.cgi?id=2343750
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2025-1010?
CVE-2025-1010 is classified as a high-severity vulnerability due to its potential for exploitation via a use-after-free in the Custom Highlight API.
How do I fix CVE-2025-1010?
To remediate CVE-2025-1010, update Firefox to version 135, Firefox ESR to version 115.20, or Thunderbird to version 128.7 or later.
Which versions are affected by CVE-2025-1010?
The affected versions of Mozilla products include Firefox versions prior to 135, Thunderbird versions prior to 135, and Firefox ESR versions prior to 115.20.
What could an attacker achieve by exploiting CVE-2025-1010?
An attacker exploiting CVE-2025-1010 could potentially cause a crash in the affected application, leading to disruptive service and possible further attacks.
Is there a workaround available for CVE-2025-1010?
There are no known workarounds for CVE-2025-1010, making it essential to update to the latest secure versions of the affected applications.
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/weakness
- agent/first-publish-date
- agent/type
- agent/author
- agent/references
- agent/source
- agent/description
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2025-1010
- vendor/mozilla
- canonical/mozilla firefox
- canonical/mozilla firefox esr
- canonical/mozilla thunderbird
- version/mozilla firefox/128.1.0
- version/mozilla thunderbird/128.0.1
- version/mozilla thunderbird/131.0