Cross-Site Request Forgery Vulnerability in Firefox and Thunderbird
CVE-2025-4088

6.5MEDIUM

Key Information:

Vendor: Mozilla
Status: Firefox; Thunderbird
Vendor: CVE Published:; 29 April 2025

What is CVE-2025-4088?

A security vulnerability in Firefox and Thunderbird enables malicious websites to exploit redirect functionalities, leading to unauthorized credentialed requests to arbitrary endpoints. This issue primarily arises when sites use the Storage Access API, potentially facilitating Cross-Site Request Forgery (CSRF) attacks across different origins. Users of Firefox and Thunderbird versions prior to 138 are advised to update their software to mitigate these security risks.

Affected Version(s)

Firefox < 138

Thunderbird < 138

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1953521

https://www.mozilla.org/security/advisories/mfsa2025-28/

https://www.mozilla.org/security/advisories/mfsa2025-31/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 29, 2025
Vulnerability Reserved
Apr 29, 2025

Credit

Chris P. Fredrickson