{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13018", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-11-11T15:12:17.945Z", "datePublished": "2025-11-11T15:47:16.458Z", "dateUpdated": "2026-04-13T14:26:30.229Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.5", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "145", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.5", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "145", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."}]}], "title": "Mitigation bypass in the DOM: Security component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984940"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"}], "credits": [{"lang": "en", "value": "Daniel Veditz"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:30.229Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-288", "lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:10:48.076563Z", "id": "CVE-2025-13018", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:48:17.867Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-13018", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-12T15:10:48.076563Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:12:42.970Z"}}], "cna": {"title": "Mitigation bypass in the DOM: Security component", "credits": [{"lang": "en", "value": "Daniel Veditz"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140.5", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "145", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.5", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "145", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984940"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.", "supportingMedia": [{"type": "text/html", "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:30.229Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13018", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:26:30.229Z", "dateReserved": "2025-11-11T15:12:17.945Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-11-11T15:47:16.458Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "D77916A6-B8C6-475D-8D77-D5D3AA1E1F43", "versionEndExcluding": "140.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "445D5AED-0882-46FE-A5F1-B7148B923221", "versionEndExcluding": "145.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."}], "id": "CVE-2025-13018", "lastModified": "2026-04-13T15:16:43.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-11T16:15:38.900", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984940"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Mitigation bypass in the DOM: Security component", "id": "2414079", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2414079"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["No description is available for this CVE."], "name": "CVE-2025-13018", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-11-11T15:47:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-13018\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-13018\nhttps://www.mozilla.org/security/advisories/mfsa2025-88/#CVE-2025-13018"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T19:02:49.632582+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox\u202f145 or later or Firefox\u202fESR\u202f140.5 or later; upgrade Thunderbird\u202f145 or later or Thunderbird\u202fESR\u202f140.5 or later", "In environments where updating immediately is not possible, consider disabling or restricting DOM content injection in user\u2011configured policies or sandboxing the affected applications", "Regularly review Mozilla security advisories and apply patches as soon as they become available"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011site scripting via DOM mitigation bypass"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox versions before\u202f145 and Firefox\u202fESR before\u202f140.5, as well as Mozilla Thunderbird versions before\u202f145 and Thunderbird\u202fESR before\u202f140.5 are affected. These are the mainstream and extended\u2011support editions widely used on consumer and enterprise systems.", "description_and_impact": "The vulnerability is a mitigation bypass in the DOM's security component, allowing an attacker to inject malicious script into pages rendered by Firefox or Thunderbird. Because the validation logic is circumvented, the injected JavaScript runs in the context of the victim\u2019s browser, giving the attacker the ability to hijack or alter data, perform click\u2011jacking, or execute arbitrary code (CWE\u201179).", "risk_and_exploitability": "The CVSS score is 8.1, indicating high severity, but the EPSS score is below\u202f1\u202f%, meaning the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger it by delivering a malicious web page or email that leverages the DOM; no elevated privileges or network access are required, and the exploitation is local to the user\u2019s browser."}}}}, "created": "2025-11-12T12:42:25.135810+00:00", "updated": "2026-04-20T19:15:15.041886+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr"]}