Mozilla releases patches for Mozilla Firefox & Thunderbird, at least three critical
Take action: Patch your Firefox and Firefox based browsers (Waterfox, Tor) and your Thunderbird ASAP. There are no immediately reported exploits, but there are at least three critical flaws, and browsers are by their nature exposed to everything malicious on the Web.
Learn More
Mozilla Firefox have released security updates addressing multiple high-severity and at least three critical vulnerability in Firefox and Thunderbird.
Mozilla Firefox Update: Firefox version 135, along with corresponding updates for Thunderbird 135, Firefox ESR 128.7, Firefox ESR 115.20, and Thunderbird ESR 128.7, addresses multiple security vulnerabilities:
- CVE-2025-1009 (CVSS score 9.8) - Use-after-free vulnerability in XSLT
- CVE-2025-1016 (CVSS score 9.8) - Memory safety bugs affecting Firefox 134, Thunderbird 134, and ESR versions
- CVE-2025-1020 (CVSS score 9.8) -: Memory safety bugs specific to Firefox 134 and Thunderbird 134
- CVE-2025-1010 CVSS score 8.8) - Use-after-free vulnerability in the Custom Highlight API, reported by Atte Kettunen
Mozilla also addressed several moderate and low-severity vulnerabilities that could potentially lead to:
- Spoofing attacks through fullscreen notification issues
- Code execution through WebAssembly code generation
- Privacy leaks through private browsing window handling
- Certificate verification issues
The use-after-free vulnerabilities could potentially lead to code execution, data corruption, or denial of service attacks. Mozilla has not reported any active exploitation of these vulnerabilities in the wild.
Users are strongly advised to update their browsers immediately to the latest versions:
- Firefox: Version 135
- Firefox ESR: 128.7 and 115.20
- Thunderbird: Version 135 and ESR 128.7
