CVE-2025-1013

Published: Feb 4, 2025Modified: Apr 13, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak. This vulnerability was fixed in Firefox 135, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.

Affected (4)

Products: Mozilla: Firefox, Thunderbird

2 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 135.0
Mozilla Firefox	Before 128.7.0
Mozilla Thunderbird	Before 128.7.0
Mozilla Thunderbird	From 129.0 to 135.0

Related CWEs

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (6)

https://bugzilla.mozilla.org/show_bug.cgi?id=1932555

Source: security@mozilla.org

Issue Tracking

https://www.mozilla.org/security/advisories/mfsa2025-07/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-09/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-10/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-11/

Source: security@mozilla.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2025/02/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.