CVE-2025-8033

Published: Jul 22, 2025Modified: Apr 13, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Affected (7)

Products: Mozilla: Firefox, Thunderbird

2 products

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 141.0
Mozilla Firefox	Before 115.26.0
Mozilla Firefox	From 128.0 to 128.13.0
Mozilla Firefox	From 140.0 to 140.1.0
Mozilla Thunderbird	Before 141.0
Mozilla Thunderbird	Before 128.13.0
Mozilla Thunderbird	From 140.0 to 140.1.0

Related CWEs

NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

References (9)

https://bugzilla.mozilla.org/show_bug.cgi?id=1973990

Source: security@mozilla.org

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2025-56/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-57/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-58/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-59/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-61/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-62/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-63/

Source: security@mozilla.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.