CVE-2025-0240

CVE-2025-0240: Compartment mismatch when parsing JavaScript JSON module

Published January 7, 2025
Last update April 13, 2026
View on NVD All CVEs

CVSS base score

What the vulnerability does

Description

Parsing a JavaScript module as JSON could, under some circumstances, cause cross-compartment access, which may result in a use-after-free. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.

Key dates

Disclosure timeline

January 7, 2025 CVE published
April 13, 2026 Record updated