CVE-2025-3028

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 137 Firefox ESR versions prior to 115.22 Firefox ESR versions prior to 128.9 Thunderbird versions prior to 137 Thunderbird versions prior to 128.9

Description The issue is related to a use-after-free error in the XSLTProcessor when executing JavaScript code while transforming a document. This could allow a remote attacker to compromise a vulnerable system. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For Firefox versions prior to 137, update to version 137 or later. For Firefox ESR versions prior to 115.22, update to version 115.22 or later. For Firefox ESR versions prior to 128.9, update to version 128.9 or later. For Thunderbird versions prior to 137, update to version 137 or later. For Thunderbird versions prior to 128.9, update to version 128.9 or later. As a temporary workaround, consider disabling the XSLTProcessor until a patch is available. Restrict access to the XSLTProcessor to minimize the risk of exploitation. Avoid using the XSLTProcessor in the affected API endpoints until the issue is resolved.