Mozilla Foundation Security Advisory 2025-32

Security Vulnerabilities fixed in Thunderbird 128.10

Announced

April 29, 2025

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 128.10

#CVE-2025-2817: Privilege escalation in Thunderbird Updater

Reporter: Dong-uk Kim (@justlikebono)
Impact: high

Description

Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.

References

Bug 1917536

#CVE-2025-4082: WebGL shader attribute memory corruption in Thunderbird for macOS

Reporter: un3xploitable & GF
Impact: high

Description

Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.
This bug only affects Thunderbird for macOS. Other versions of Thunderbird are unaffected.

References

Bug 1937097

#CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames

Reporter: Nika Layzell
Impact: high

Description

A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document’s process instead of the intended frame, potentially enabling a sandbox escape.

References

Bug 1958350

#CVE-2025-4084: Potential local code execution in "copy as cURL" command

Reporter: Ameen Basha M K
Impact: moderate

Description

Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's system.
This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.

References

Bug 1949994, 1956698, 1960198

#CVE-2025-4087: Unsafe attribute access during XPath parsing

Reporter: Ivan Fratric
Impact: moderate

Description

A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption.

References

Bug 1952465

#CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10

Reporter: Maurice Dauer and the Mozilla Fuzzing Team
Impact: moderate

Description

Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10

#CVE-2025-4093: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10

Reporter: Andrew McCreight
Impact: high

Description

Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.

References

Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog