CVE-2025-3028 is a use-after-free vulnerability in Mozilla Firefox's XSLTProcessor component. When JavaScript code runs while transforming a document using the XSLTProcessor, it could trigger a use-after-free condition, which is a type of memory safety bug (CWE-416). This vulnerability was identified and reported by Ivan Fratric of Google Project Zero. The flaw was addressed and fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9. The CVSS v3.1 base score is 6.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact. No known exploits have been observed in the wild.

The vulnerability allows remote attackers to trigger a use-after-free condition via JavaScript during XSLT document transformation, potentially leading to memory corruption. The impact includes possible denial of service or other memory safety issues affecting integrity and availability. No confidentiality impact is noted. There are no known active exploits in the wild. The issue affects Firefox and Thunderbird versions prior to the fixed releases.

Mozilla has released official fixes for this vulnerability in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9. Users and administrators should update to these versions or later to remediate the vulnerability. Since this is not a cloud service, patching the client software is required. There are no vendor advisories indicating that no action is required or that the issue is already mitigated without patching. Patch status is confirmed as fixed in the specified versions.