A newly discovered security flaw tracked as CVE-2025-13016 exposes over 180 million Firefox and Thunderbird users to potential arbitrary code execution. This high-severity vulnerability resides in the WebAssembly engine’s JavaScript component, triggered by incorrect boundary conditions that lead to a stack buffer overflow. The vulnerability was introduced in Firefox in April 2025 and evaded detection for six months despite testing, highlighting challenges in catching such subtle memory corruption bugs.
What is CVE-2025-13016?
At its core, CVE-2025-13016 arises from a single line of faulty pointer arithmetic involving template code in Firefox’s WebAssembly garbage collection. The bug happens during a specific memory fallback and causes writes beyond allocated buffer boundaries, enabling attackers to execute arbitrary code remotely via malicious webpages or crafted email content in Thunderbird.
The attack requires no user privileges but does need user interaction, such as visiting a compromised website. The high attack complexity involves precise timing of garbage collection within the vulnerable copy operation. The potential impact is severe: complete compromise of the affected browser or mail client process, affecting confidentiality, integrity, and availability.
Affected Products and Versions
This vulnerability impacts Mozilla Firefox versions below 145, including Firefox ESR below 140.5. Thunderbird versions prior to 145 and ESR versions below 140.5 are also vulnerable. Because Firefox and Thunderbird share the WebAssembly component, both products are affected.
Fixes and Mitigation
Mozilla has released patched versions addressing this flaw in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5. Users should urgently update to these versions to protect against potential attacks. Security teams should prioritize patch deployment, especially on high-risk or internet-facing endpoints.
Why This Matters
Despite thorough regression testing, this vulnerability was difficult to detect manually or even with traditional fuzzing and static analysis, as it involved complex template-heavy C++ code and pointer type mixing. It underscores the evolving challenges in securing modern web engines where memory safety bugs can lead to widespread risk.
Stay updated with your browser and mail client security patches. This vulnerability highlights the importance of proactive patch management and vulnerability research to defend against advanced exploitation techniques targeting popular open-source software.
