A High Severity WebAssembly Boundary Condition Vulnerability in Firefox CVE-2025-13016

Keypoints

• Root cause: incorrect pointer arithmetic and mixed pointer types in StableWasmArrayObjectElements’ std::copy (uint8_t* vs uint16_t*), causing writes of numElements_*sizeof(T) elements instead of bytes and overflowing inline storage.
• Additional bug: inlineStorage() pointed at a DataHeader, so the code copied metadata instead of element data; correct pointer is provided by inlineArrayElements().
• Trigger: the vulnerable copy runs during WebAssembly GC when the fast NoGC string allocation fails, specifically in Instance::stringFromCharCodeArray (js/src/wasm/WasmInstance.cpp), enabling exploitation under precise memory-pressure conditions.
• Detection timeline: vulnerable code introduced April 7, 2025 (Bug 1956768) with a regression test; discovered by Aisle on October 2, 2025 and reported to Mozilla; fixed and uplifted to Firefox 145 and ESR 140.5 in mid–late October 2025.
• Impact and severity: CVE-2025-13016 scored CVSS 7.5 (High), affected Firefox 143–144 and early 145 and ESR 140.0–140.4 across Windows, macOS, Linux, and Android; over 180 million monthly active users potentially exposed.
• Remediation and mitigation: Mozilla fixed the code (using inlineArrayElements() and correct std::copy usage); users should update to Firefox 145/ESR 140.5+, or temporarily disable WebAssembly via about:config (javascript.options.wasm = false) with functionality trade-offs.