CORS Bypass Vulnerability in Mozilla Thunderbird and Firefox Products
CVE-2025-8036

Currently unrated

Key Information:

Vendor

Mozilla
Status
Firefox
Firefox Esr
Thunderbird
Vendor
CVE Published:
22 July 2025

What is CVE-2025-8036?

A significant security flaw in Mozilla products, namely Firefox and Thunderbird, allows attackers to circumvent Cross-Origin Resource Sharing (CORS) protections through DNS rebinding. This vulnerability arises from the improper caching of CORS preflight responses when there are changes in IP addresses. As a result, untrusted origins can gain access to sensitive information, posing a serious risk to users of impacted versions.

Affected Version(s)

Firefox < 141

Firefox ESR < 140.1

Thunderbird < 141

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1960834
https://www.mozilla.org/security/advisories/mfsa2025-56/
https://www.mozilla.org/security/advisories/mfsa2025-59/

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Viktor Bocz
.
CVE-2025-8036 : CORS Bypass Vulnerability in Mozilla Thunderbird and Firefox Products