Mozilla Foundation Security Advisory 2025-31

Security Vulnerabilities fixed in Thunderbird 138

Announced

April 29, 2025

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 138

#CVE-2025-2817: Privilege escalation in Thunderbird Updater

Reporter: Dong-uk Kim (@justlikebono)
Impact: high

Description

Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.

References

Bug 1917536

#CVE-2025-4082: WebGL shader attribute memory corruption in Thunderbird for macOS

Reporter: un3xploitable & GF
Impact: high

Description

Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.
This bug only affects Thunderbird for macOS. Other versions of Thunderbird are unaffected.

References

Bug 1937097

#CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames

Reporter: Nika Layzell
Impact: high

Description

A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape.

References

Bug 1958350

#CVE-2025-4085: Potential information leakage and privilege escalation in UITour actor

Reporter: Andrew McCreight
Impact: moderate

Description

An attacker with control over a content process could potentially leverage the privileged UITour actor to leak sensitive information or escalate privileges.

References

Bug 1915280

#CVE-2025-4086: Specially crafted filename could be used to obscure download type

Reporter: Hafiizh
Impact: moderate

Description

A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog.
This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected.

References

Bug 1945705

#CVE-2025-4087: Unsafe attribute access during XPath parsing

Reporter: Ivan Fratric
Impact: moderate

Description

A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption.

References

Bug 1952465

#CVE-2025-4088: Cross-site request forgery via storage access API redirects

Reporter: Chris P. Fredrickson
Impact: moderate

Description

A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins.

References

Bug 1953521

#CVE-2025-4089: Potential local code execution in "copy as cURL" command

Reporter: Ameen Basha M K
Impact: moderate

Description

Due to insufficient escaping of special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.

References

Bug 1949994, 1956698, 1960198

#CVE-2025-4090: Leaked library paths in Thunderbird for Android

Reporter: Seongyun Jeong
Impact: low

Description

A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat.

References

Bug 1929478

#CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10

Reporter: Maurice Dauer and the Mozilla Fuzzing Team
Impact: moderate

Description

Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10

#CVE-2025-4092: Memory safety bugs fixed in Firefox 138 and Thunderbird 138

Reporter: Randell Jesup, Jens Stutte, and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox 137 and Thunderbird 137. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 138 and Thunderbird 138

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog