CVE-2025-10532

Name	CVE-2025-10532
Description	This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4305-1, DLA-4311-1, DSA-6003-1, DSA-6011-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
firefox (PTS)	sid	144.0-1	fixed
firefox-esr (PTS)	bullseye	115.14.0esr-1~deb11u1	vulnerable
	bullseye (security)	140.4.0esr-1~deb11u1	fixed
	bookworm	128.14.0esr-1~deb12u1	vulnerable
	bookworm (security)	140.4.0esr-1~deb12u1	fixed
	trixie	128.14.0esr-1~deb13u1	vulnerable
	trixie (security)	140.4.0esr-1~deb13u1	fixed
	forky, sid	140.4.0esr-1	fixed
thunderbird (PTS)	bullseye	1:115.12.0-1~deb11u1	vulnerable
	bullseye (security)	1:140.4.0esr-1~deb11u1	fixed
	bookworm	1:128.14.0esr-1~deb12u1	vulnerable
	bookworm (security)	1:140.4.0esr-1~deb12u1	fixed
	trixie	1:128.14.0esr-1~deb13u1	vulnerable
	trixie (security)	1:140.4.0esr-1~deb13u1	fixed
	forky	1:140.3.1esr-1	fixed
	sid	1:140.4.0esr-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
firefox	source	(unstable)	143.0-1
firefox-esr	source	bullseye	140.3.0esr-1~deb11u2	DLA-4305-1
firefox-esr	source	bookworm	140.3.0esr-1~deb12u1	DSA-6003-1
firefox-esr	source	trixie	140.3.0esr-1~deb13u1	DSA-6003-1
firefox-esr	source	(unstable)	140.3.0esr-1
thunderbird	source	bullseye	1:140.3.0esr-1~deb11u1	DLA-4311-1
thunderbird	source	bookworm	1:140.3.0esr-1~deb12u1	DSA-6011-1
thunderbird	source	trixie	1:140.3.0esr-1~deb13u1	DSA-6011-1
thunderbird	source	(unstable)	1:140.3.0esr-1

Notes

https://www.mozilla.org/en-US/security/advisories/mfsa2025-73/#CVE-2025-10532
https://www.mozilla.org/en-US/security/advisories/mfsa2025-75/#CVE-2025-10532
https://www.mozilla.org/en-US/security/advisories/mfsa2025-78/#CVE-2025-10532