CVE-2013-5604 in Firefox
Summary
by MITRE
The txXPathNodeUtils::getBaseURI function in the XSLT processor in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey before 2.22 does not properly initialize data, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via crafted documents.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/25/2025
The vulnerability identified as CVE-2013-5604 represents a critical stack-based buffer overflow in Mozilla Firefox's XSLT processor component, affecting multiple products including Firefox, Thunderbird, and SeaMonkey across several versions. This flaw exists within the txXPathNodeUtils::getBaseURI function which handles XSLT transformations, creating a potential pathway for remote code execution through maliciously crafted web documents. The vulnerability stems from improper data initialization during XSLT processing operations, specifically when handling base URI resolution within XPath node utilities.
The technical implementation of this vulnerability involves a stack-based buffer overflow that occurs when the txXPathNodeUtils::getBaseURI function fails to properly initialize memory structures before processing XSLT documents. When attackers craft malicious XML documents containing specially constructed XSLT transformations, the function processes these inputs without adequate bounds checking or memory initialization, leading to memory corruption that can be exploited to execute arbitrary code or cause application crashes. This flaw operates at the intersection of XSLT processing and memory management, leveraging the complex interaction between XML transformation engines and stack memory allocation.
From an operational perspective, this vulnerability presents significant risk to users of affected software versions, as it allows remote attackers to execute arbitrary code on targeted systems without user interaction. The attack vector requires only the delivery of malicious web content that triggers the vulnerable XSLT processing path, making it particularly dangerous in web browsing contexts. The impact extends beyond simple code execution to include potential denial of service conditions that can crash applications, rendering them unavailable to legitimate users. This vulnerability directly maps to CWE-121 Stack-based Buffer Overflow and aligns with ATT&CK technique T1059.007 for Command and Scripting Interpreter, as it enables arbitrary code execution through script processing.
The exploitation of this vulnerability requires careful crafting of XSLT documents that can trigger the specific code path within txXPathNodeUtils::getBaseURI, making it moderately sophisticated but not requiring advanced attacker capabilities. The vulnerability affects multiple Mozilla products and versions, creating a broad attack surface across different software ecosystems. Security professionals should note that this vulnerability represents a classic memory corruption issue that can be addressed through proper memory initialization and bounds checking practices. The recommended mitigations include immediate deployment of security patches, enabling security features like Address Space Layout Randomization (ASLR), and implementing network-level protections such as content filtering and web application firewalls to prevent exploitation of this vulnerability in production environments.