CVE-2025-13017 is a vulnerability in Mozilla Firefox's DOM Notifications component that allows bypassing the same-origin policy. The same-origin policy is a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from another origin. This bypass could potentially allow unauthorized access to information or actions across origins. The vulnerability was reported by Mochammad Nosa Shandy Prastyo and is classified under CWE-942 (Improper Neutralization of Special Elements used in an OS Command). Mozilla fixed this vulnerability in Firefox 145 and Firefox ESR 140.5, as documented in their security advisories MFSA 2025-87 and MFSA 2025-88.

The vulnerability impacts the confidentiality and integrity of user data by allowing a same-origin policy bypass in the Notifications component of Firefox. This could enable an attacker to access or manipulate data across origins that should be isolated, potentially leading to unauthorized information disclosure or modification. The CVSS 3.1 base score is 8.1 (high), with network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality and integrity. There are no known exploits in the wild at the time of publication.

Mozilla has released official fixes for this vulnerability in Firefox 145 and Firefox ESR 140.5. Users and administrators should update their Firefox installations to these versions or later to remediate the issue. Since this is a client-side vulnerability in a non-cloud product, applying the official patches is the recommended mitigation. No additional vendor-recommended mitigations or workarounds are indicated in the advisory.