{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13024", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-11-11T15:12:32.221Z", "datePublished": "2025-11-11T15:47:14.756Z", "dateUpdated": "2026-04-13T14:26:22.837Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "145", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "145", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."}]}], "title": "JIT miscompilation in the JavaScript Engine: JIT component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992902"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"}], "credits": [{"lang": "en", "value": "Project KillFuzz of Qrious Secure"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:22.837Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-733", "lang": "en", "description": "CWE-733 Compiler Optimization Removal or Modification of Security-critical Code"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T15:09:23.127652Z", "id": "CVE-2025-13024", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:50:35.468Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-13024", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-13T15:09:23.127652Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-733", "description": "CWE-733 Compiler Optimization Removal or Modification of Security-critical Code"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T15:12:05.544Z"}}], "cna": {"title": "JIT miscompilation in the JavaScript Engine: JIT component", "credits": [{"lang": "en", "value": "Project KillFuzz of Qrious Secure"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "145", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "145", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992902"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"}], "descriptions": [{"lang": "en", "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.", "supportingMedia": [{"type": "text/html", "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:22.837Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13024", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:26:22.837Z", "dateReserved": "2025-11-11T15:12:32.221Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-11-11T15:47:14.756Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "445D5AED-0882-46FE-A5F1-B7148B923221", "versionEndExcluding": "145.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 145 and Thunderbird 145."}], "id": "CVE-2025-13024", "lastModified": "2026-04-13T15:16:44.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-11T16:15:39.510", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992902"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-733"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: JIT miscompilation in the JavaScript Engine: JIT component", "id": "2414081", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2414081"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-783", "details": ["No description is available for this CVE."], "name": "CVE-2025-13024", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-11-11T15:47:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-13024\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-13024\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1992902\nhttps://www.mozilla.org/security/advisories/mfsa2025-87/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-20T17:42:45.336253+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox 145 or newer as soon as possible. ", "Upgrade to Thunderbird 145 or newer as soon as possible. ", "If an immediate update is unavailable, isolate the vulnerable applications from untrusted web content and disable JavaScript in the browser to reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Mozilla releases indicate that all Firefox and Thunderbird versions older than 145 are affected. Thus, users running any pre\u2011145 build of either product are at risk until the update is applied. No more specific sub\u2011version details are provided, so the entire pre\u2011145 set should be considered vulnerable.", "description_and_impact": "A miscompilation fault in the JavaScript engine\u2019s JIT component allows an attacker who can deliver malicious JavaScript to cause the engine to execute native code, leading to remote code execution. The flaw is classified as critical, with a CVSS score of 9.8, indicating that a successful exploit could compromise system confidentiality, integrity, and availability.", "risk_and_exploitability": "The EPSS score is reported as less than 1%, implying that currently, exploitation attempts are rare or in testing stages. Nevertheless, the high CVSS rating signals a potentially catastrophic impact if the vulnerability is leveraged. The security community has not yet catalogued the flaw in CISA\u2019s KEV list, but this does not reduce the need for remediation. The most likely attack vector is through a malicious web page or compromised attachment that loads JavaScript in the browser, which then triggers the miscompilation. Attackers could achieve full system compromise without the need for privilege escalation beyond the user running the vulnerable application."}}}}, "created": "2025-11-12T12:42:37.184882+00:00", "updated": "2026-04-20T17:45:12.954551+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}