Privilege Escalation Vulnerability in Firefox and Thunderbird by Mozilla
CVE-2025-0237

5.4MEDIUM

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird; Thunderbird Esr
Vendor: CVE Published:; 7 January 2025

Summary

A security flaw has been identified in the WebChannel API used by Mozilla products such as Firefox and Thunderbird. The vulnerability arises due to the API's failure to properly verify the sending principal, allowing for potential privilege escalation attacks. This issue affects multiple versions of Firefox and Thunderbird, making it crucial for users to update their software to maintain security. Notably impacted versions include Firefox versions below 134 and Thunderbird versions below 134. Preventing unauthorized actions through this API is essential to safeguard user data and maintain system integrity.

Affected Version(s)

Firefox < 134

Firefox ESR < 128.6

Thunderbird < 134

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1915257

https://www.mozilla.org/security/advisories/mfsa2025-01/

https://www.mozilla.org/security/advisories/mfsa2025-02/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 7, 2025

Credit

Andrew McCreight