Same-Origin Policy Bypass in Firefox and Thunderbird by Mozilla
CVE-2025-9180

8.1HIGH

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 19 August 2025

What is CVE-2025-9180?

A vulnerability has been identified in the Graphics: Canvas2D component of the Mozilla products, allowing an attacker to bypass the same-origin policy. This could potentially lead to unauthorized access to sensitive data from different origins, compromising the security model intended to protect user data. The affected versions of Firefox and Thunderbird include several prior releases, highlighting the necessity for users to update their applications to mitigate this risk.

Affected Version(s)

Firefox < 142

Firefox ESR < 115.27

Firefox ESR < 128.14

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1979782

https://www.mozilla.org/security/advisories/mfsa2025-64/

https://www.mozilla.org/security/advisories/mfsa2025-65/

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 19, 2025
Vulnerability Reserved
Aug 19, 2025

Credit

Tom Van Goethem