Multiple vulnerabilities in Thunderbird
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2025-6424 CVE-2025-6425 CVE-2025-6426 CVE-2025-6427 CVE-2025-6429 CVE-2025-6430 CVE-2025-6432 CVE-2025-6433 CVE-2025-6434 CVE-2025-6435 CVE-2025-6436 |
| CWE-ID | CWE-416 CWE-200 CWE-357 CWE-693 CWE-20 CWE-358 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Mozilla Thunderbird Client/Desktop applications / Messaging software |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU111885
Risk: High
CVSSv4.0: 5.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-6424
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in FontFaceSet. A remote attacker can trick the victim into opening a specially crafted website and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU111886
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-6425
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the WebCompat extension shipped with Firefox allows to enumerate resources and obtain a persistent UUID that identifies the browser, and persists between containers and normal/private browsing mode, but not profiles.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU111887
Risk: High
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-6426
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the terminal extension does not show a warning when opening an executable terminal filer on macOS. A remote attacker can trick the victim into executing an executable file and compromise the affected system.
Note, the vulnerability affects macOS installations only.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Protection Mechanism Failure
EUVDB-ID: #VU111890
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-6427
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures. An attacker is able to bypass the connect-src directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU111888
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-6429
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect parsing of embedded URLs that led to URLs being rewritten to the youtube.com domain. A remote attacker can use a specially crafted embed tag to bypass website security checks that restricted which domains users were allowed to embed.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Protection Mechanism Failure
EUVDB-ID: #VU111889
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-6430
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error when handling embed or object tags. When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU111893
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-6432
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to DNS requests can be leaked outside of a configured SOCKS proxy. When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improperly implemented security check for standard
EUVDB-ID: #VU111894
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-6433
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when handling invalid TLS certificates. If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors".
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Protection Mechanism Failure
EUVDB-ID: #VU111895
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-6434
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU111896
Risk: Low
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-6435
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to manipulate file a downloaded extension.
The vulnerability exists due to insufficient validation of user-supplied input. If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the .download file extension. This could have led to the user inadvertently running a malicious executable.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU111897
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-6436
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsMozilla Thunderbird: 130.0 - 139.0.2
CPE2.3- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:131.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:132.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_thunderbird:139.0.2:*:*:*:*:*:*:*
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
