CRITICAL🇵🇱 Wersja polska

CVE-2025-8038

CVSS 9.8v3.1pub. 2025-07-22upd. 2026-04-13

Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

🤖 AI Analysis
How it works

The frame navigation validation mechanism did not consider the URL path component during verification of whether a given navigation is allowed (CWE-345: lack of verification of data authenticity/integrity). This means that security controls could be bypassed through a specially crafted request path, leading to unauthorized transitions within the embedded frame. The vulnerability is remotely accessible, requires no authentication, and requires no user interaction, making it easy to exploit in practice.

Impact

An attacker can bypass frame navigation control mechanisms, potentially gaining unauthorized access to resources, modifying content, or compromising the confidentiality, integrity, and availability of data processed by the application.

Mitigation & patch

Update to Firefox 141 or Firefox ESR 140.1 and Thunderbird 141 or Thunderbird 140.1. Patches are available through Mozilla's automatic update mechanism and on the official product websites referenced.

Who is affected

Mozilla Firefox versions prior to 141 and Firefox ESR versions prior to 140.1; Mozilla Thunderbird versions prior to 141 and Thunderbird versions prior to 140.1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 140.1.0< 141.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.1.0< 141.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...