CVE-2025-3028 in Thunderbird
Summary
by MITRE • 04/01/2025
JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/15/2026
The vulnerability identified as CVE-2025-3028 represents a critical use-after-free condition within the JavaScript engine of Mozilla Firefox and Thunderbird applications. This flaw manifests during document transformation operations that utilize the XSLTProcessor interface, which is a standard web API for processing XML documents through XSLT stylesheets. The issue arises from improper memory management during the execution of JavaScript code that interacts with XSLT transformation processes, creating opportunities for memory corruption that could be exploited by malicious actors.
The technical root cause of this vulnerability stems from a memory safety issue where JavaScript objects that are freed from memory are still being referenced or accessed by subsequent operations within the XSLT transformation pipeline. This use-after-free condition occurs when the XSLTProcessor encounters specific JavaScript code patterns during document processing, leading to a scenario where freed memory locations are accessed, potentially allowing attackers to execute arbitrary code with the privileges of the affected application. The vulnerability is classified under CWE-416 as a use-after-free error, which represents one of the most dangerous categories of memory safety flaws due to its potential for remote code execution.
The operational impact of CVE-2025-3028 extends beyond simple application instability, as it provides a potential pathway for attackers to gain unauthorized code execution within the context of the browser or email client. This vulnerability affects multiple Mozilla products including Firefox desktop browsers, Firefox Extended Support Release versions, and Thunderbird email clients, making it a widespread concern for organizations that rely on these applications. The attack surface is particularly concerning given that XSLT transformations are commonly used in web applications for data processing and presentation, and the vulnerability can be triggered through maliciously crafted XML documents or web pages that utilize XSLT processing.
Security researchers have identified that this vulnerability aligns with ATT&CK technique T1059.007 which covers JavaScript and VBScript execution, and potentially T1203 which involves exploitation of software vulnerabilities. The fix implemented by Mozilla addresses the memory management issues within the XSLTProcessor implementation and requires users to update to the patched versions including Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9. Organizations should prioritize deployment of these updates across their environments, particularly in enterprise settings where Firefox and Thunderbird are widely used. The mitigation strategy should also include monitoring for exploitation attempts and implementing network-based protections such as web application firewalls that can detect and block malicious XSLT processing patterns.
The vulnerability demonstrates the ongoing challenges in maintaining memory safety in complex JavaScript engines, particularly when dealing with interoperability between native code and scripting languages. The fix represents a fundamental correction to the memory management logic within the XSLT transformation code path, ensuring proper object lifecycle management during document processing operations. This type of vulnerability highlights the importance of regular security updates and the need for comprehensive testing of web application components that interact with XML processing capabilities, as these features often serve as attack vectors for sophisticated exploitation techniques.