Unexpected File Upload Vulnerability in Mozilla Firefox and Thunderbird for Windows
CVE-2025-3033

Currently unrated

Key Information:

Vendor
Mozilla
Status
Firefox
Thunderbird
Vendor
CVE Published:
1 April 2025

Summary

A vulnerability exists within Firefox and Thunderbird on Windows systems that allows a malicious .url shortcut from the local filesystem to trigger an unintentional file upload. This flaw specifically impacts versions prior to 137 and poses a risk primarily for users on the Windows platform, while other operating systems remain unaffected. Users and organizations are advised to update to the latest versions to mitigate potential risks associated with this vulnerability.

Affected Version(s)

Firefox < 137

Thunderbird < 137

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1950056
https://www.mozilla.org/security/advisories/mfsa2025-20/
https://www.mozilla.org/security/advisories/mfsa2025-23/

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ameen Basha M K
.