Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2025-1013

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Published: Feb 04, 2025 | Modified: Apr 08, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
4.3 LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-1013
CWEhttps://cwe.mitre.org/data/definitions/362.html

A race condition could have led to private browsing tabs being opened in normal browsing windows. This could have resulted in a potential privacy leak. This vulnerability affects Firefox < 135, Firefox ESR < 128.7, Thunderbird < 128.7, and Thunderbird < 135.

Weakness

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Software

Name Vendor Start Version End Version
Firefox Mozilla * 128.7.0 (excluding)
Firefox Mozilla * 135.0 (excluding)
Thunderbird Mozilla * 128.7.0 (excluding)
Thunderbird Mozilla 129.0 (including) 135.0 (excluding)
Red Hat Enterprise Linux 7 Extended Lifecycle Support RedHat firefox-0:128.7.0-1.el7_9 *
Red Hat Enterprise Linux 8 RedHat firefox-0:128.7.0-1.el8_10 *
Red Hat Enterprise Linux 8 RedHat thunderbird-0:128.7.0-1.el8_10 *
Red Hat Enterprise Linux 8.2 Advanced Update Support RedHat firefox-0:128.7.0-1.el8_2 *
Red Hat Enterprise Linux 8.2 Advanced Update Support RedHat thunderbird-0:128.7.0-1.el8_2 *
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support RedHat firefox-0:128.7.0-1.el8_4 *
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support RedHat thunderbird-0:128.7.0-1.el8_4 *
Red Hat Enterprise Linux 8.4 Telecommunications Update Service RedHat firefox-0:128.7.0-1.el8_4 *
Red Hat Enterprise Linux 8.4 Telecommunications Update Service RedHat thunderbird-0:128.7.0-1.el8_4 *
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions RedHat firefox-0:128.7.0-1.el8_4 *
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions RedHat thunderbird-0:128.7.0-1.el8_4 *
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support RedHat firefox-0:128.7.0-1.el8_6 *
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support RedHat thunderbird-0:128.7.0-1.el8_6 *
Red Hat Enterprise Linux 8.6 Telecommunications Update Service RedHat firefox-0:128.7.0-1.el8_6 *
Red Hat Enterprise Linux 8.6 Telecommunications Update Service RedHat thunderbird-0:128.7.0-1.el8_6 *
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions RedHat firefox-0:128.7.0-1.el8_6 *
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions RedHat thunderbird-0:128.7.0-1.el8_6 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat firefox-0:128.7.0-1.el8_8 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat thunderbird-0:128.7.0-1.el8_8 *
Red Hat Enterprise Linux 9 RedHat firefox-0:128.7.0-1.el9_5 *
Red Hat Enterprise Linux 9 RedHat thunderbird-0:128.7.0-1.el9_5 *
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions RedHat firefox-0:128.7.0-1.el9_0 *
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions RedHat thunderbird-0:128.7.0-1.el9_0 *
Red Hat Enterprise Linux 9.2 Extended Update Support RedHat firefox-0:128.7.0-1.el9_2 *
Red Hat Enterprise Linux 9.2 Extended Update Support RedHat thunderbird-0:128.7.0-1.el9_2 *
Red Hat Enterprise Linux 9.4 Extended Update Support RedHat firefox-0:128.7.0-1.el9_4 *
Red Hat Enterprise Linux 9.4 Extended Update Support RedHat thunderbird-0:128.7.0-1.el9_4 *
Firefox Ubuntu focal *
Mozjs102 Ubuntu esm-apps/noble *
Mozjs102 Ubuntu jammy *
Mozjs102 Ubuntu noble *
Mozjs115 Ubuntu devel *
Mozjs115 Ubuntu noble *
Mozjs115 Ubuntu oracular *
Mozjs115 Ubuntu plucky *
Mozjs52 Ubuntu esm-infra/bionic *
Mozjs52 Ubuntu focal *
Mozjs68 Ubuntu esm-infra/focal *
Mozjs68 Ubuntu focal *
Mozjs78 Ubuntu jammy *
Mozjs91 Ubuntu jammy *
Thunderbird Ubuntu focal *
Thunderbird Ubuntu jammy *
Thunderbird Ubuntu upstream *

Extended Description

A race condition occurs within concurrent environments, and it is effectively a property of a code sequence. Depending on the context, a code sequence may be in the form of a function call, a small number of instructions, a series of program invocations, etc. A race condition violates these properties, which are closely related:

A race condition exists when an “interfering code sequence” can still access the shared resource, violating exclusivity. The interfering code sequence could be “trusted” or “untrusted.” A trusted interfering code sequence occurs within the product; it cannot be modified by the attacker, and it can only be invoked indirectly. An untrusted interfering code sequence can be authored directly by the attacker, and typically it is external to the vulnerable product.

Potential Mitigations

  • Minimize the usage of shared resources in order to remove as much complexity as possible from the control flow and to reduce the likelihood of unexpected conditions occurring.
  • Additionally, this will minimize the amount of synchronization necessary and may even help to reduce the likelihood of a denial of service where an attacker may be able to repeatedly trigger a critical section (CWE-400).

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use