Mozilla Foundation Security Advisory 2025-41
Security Vulnerabilities fixed in Thunderbird 138.0.2
- Announced
- May 20, 2025
- Impact
- critical
- Products
- Thunderbird
- Fixed in
-
- Thunderbird 138.0.2
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2025-4918: Out-of-bounds access when resolving Promise objects
- Reporter
- Edouard Bochin and Tao Yan from Palo Alto Networks working with Trend Micro's Zero Day Initiative
- Impact
- critical
Description
An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise
object.
References
#CVE-2025-4919: Out-of-bounds access when optimizing linear sums
- Reporter
- Manfred Paul working with Trend Micro's Zero Day Initiative
- Impact
- critical
Description
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes.