Process Isolation Vulnerability in Firefox and Thunderbird
CVE-2025-4083

9.1CRITICAL

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 29 April 2025

What is CVE-2025-4083?

A process isolation vulnerability in Firefox and Thunderbird arises from improper handling of javascript: URIs. This flaw allows content to potentially execute in the top-level document's process rather than within its intended frame, posing a risk of sandbox escape. Affected versions include Firefox versions prior to 138, Firefox ESR versions before 128.10 and 115.23, as well as Thunderbird versions prior to 138 and its ESR counterpart under 128.10. Users are advised to update to mitigate the risk.

Affected Version(s)

Firefox < 138

Firefox ESR < 128.10

Firefox ESR < 115.23

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1958350

https://www.mozilla.org/security/advisories/mfsa2025-28/

https://www.mozilla.org/security/advisories/mfsa2025-29/

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2025
Vulnerability Reserved
Apr 29, 2025

Credit

Nika Layzell

Mozilla

What is CVE-2025-4083?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit