File Extension Disclosure in Firefox for Android and Thunderbird by Mozilla
CVE-2025-4086

6.5MEDIUM

Key Information:

Vendor: Mozilla
Status: Firefox; Thunderbird
Vendor: CVE Published:; 29 April 2025

What is CVE-2025-4086?

A flaw exists in Firefox for Android and Thunderbird where a specially crafted filename, containing multiple encoded newline characters, can mask the true file extension in download dialogs. This issue may lead to user confusion or exploitation, compromising the integrity and security of user data when files are downloaded. The risk is present on specific versions of Firefox and Thunderbird, requiring immediate attention for affected users.

Affected Version(s)

Firefox < 138

Thunderbird < 138

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1945705

https://www.mozilla.org/security/advisories/mfsa2025-28/

https://www.mozilla.org/security/advisories/mfsa2025-31/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2025
Vulnerability Reserved
Apr 29, 2025

Credit

Hafiizh