Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Remote Code Execution in Firefox and Thunderbird WebAssembly JavaScript Component

IdentifiersCVE-2025-13016CWE-787

CVE-2025-13016 is a high-severity memory corruption vulnerability in the JavaScript: WebAssembly component used by Mozilla Firefox and Thunderbird. The provided content states the flaw is caused by incorrect boundary conditions in template-heavy WebAssembly garbage-collection code, with faulty pointer arithmetic during a memory fallback/copy path leading to a stack buffer overflow and writes beyond allocated buffer boundaries. A remote attacker may be able to trigger the bug by causing a target to process malicious WebAssembly content, such as through a crafted webpage in Firefox and potentially crafted email content in Thunderbird. Affected versions are Firefox before 145, Firefox ESR before 140.5, Thunderbird before 145, and Thunderbird ESR before 140.5.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation could allow arbitrary code execution in the context of the affected Firefox or Thunderbird process. The content indicates this may result in full compromise of the application process, with impact to confidentiality, integrity, and availability, including potential access to sensitive data and the ability to execute attacker-controlled code on the victim system.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting access to untrusted websites and untrusted active content, especially WebAssembly-capable content, and by restricting or isolating browser and mail-client use on high-risk systems until updates can be applied. For Thunderbird, avoid opening untrusted or suspicious email content. Prioritize internet-facing and high-risk endpoints for accelerated update deployment. Specific vendor-recommended mitigations beyond patching were not provided in the content.

Remediation

Patch, then assume compromise.

Upgrade to a fixed release: Firefox 145 or later, Firefox ESR 140.5 or later, Thunderbird 145 or later, or Thunderbird ESR 140.5 or later. The provided content indicates Mozilla released fixes in these versions and users and defenders should prioritize prompt patch deployment.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
MozillaFirefoxapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
cyberthroneNews
Dec 29, 2025
CVE Flood in 2025 to Risk-First Precision in 2026

A high-severity stack buffer overflow vulnerability in the WebAssembly engine's JavaScript component of Mozilla Firefox and Thunderbird, allowing potential arbitrary code execution.

Read more
cyberthroneNews
Nov 26, 2025
CVE-2025-13016 affects Mozilla Firefox

High-severity stack buffer overflow in Mozilla Firefox/Thunderbird WebAssembly engine (JavaScript component) caused by faulty pointer arithmetic/boundary conditions, enabling remote arbitrary code execution via malicious webpages or crafted Thunderbird content.

Read more
scworldNews
Nov 26, 2025
Firefox browser vulnerability risks arbitrary code execution

A critical remote code execution vulnerability in Mozilla Firefox caused by a stack buffer overflow in the WebAssembly engine’s Garbage Collection memory feature, allowing arbitrary code execution on affected user devices.

Read more
hackreadNews
Nov 25, 2025

A critical Firefox WebAssembly (Wasm) memory flaw affecting a large user base.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-13016
NVD
nvd.nist.gov/vuln/detail/CVE-2025-13016
MITRE CWE · CWE-787
cwe.mitre.org
Vendor Advisory
mozilla.org/security/advisories/mfsa2025-87
Vendor Advisory
mozilla.org/security/advisories/mfsa2025-88
Permissions Required
bugzilla.mozilla.org/show_bug.cgi?id=1992130
mozilla.org
mozilla.org/security/advisories/mfsa2025-90
mozilla.org
mozilla.org/security/advisories/mfsa2025-91