XPath Parsing Vulnerability in Firefox and Thunderbird by Mozilla
CVE-2025-4087

6.5MEDIUM

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 29 April 2025

What is CVE-2025-4087?

A security issue exists in Firefox and Thunderbird where improper handling of XPath parsing can result in undefined behavior. This arises from missing null checks during attribute access, potentially leading to out-of-bounds read access. Such vulnerabilities can expose systems to memory corruption, affecting user data integrity and application stability. Affected versions include Firefox versions below 138 and Thunderbird versions below 138, along with their respective ESR versions.

Affected Version(s)

Firefox < 138

Firefox ESR < 128.10

Thunderbird < 138

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1952465

https://www.mozilla.org/security/advisories/mfsa2025-28/

https://www.mozilla.org/security/advisories/mfsa2025-29/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 29, 2025
Vulnerability Reserved
Apr 29, 2025

Credit

Ivan Fratric