CVE-2025-14331

MEDIUM
2025-12-09 [email protected]
Mozilla Authentication Bypass Thunderbird Redhat Suse
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 16:12 vuln.today

DescriptionNVD

Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

AnalysisAI

Same-origin policy bypass in Firefox and Thunderbird request handling allows unauthenticated remote attackers to access sensitive information from cross-origin resources with low attack complexity and no user interaction required. The vulnerability affects Firefox versions below 146, Firefox ESR below 115.31 and 140.6, Thunderbird below 146, and Thunderbird ESR below 140.6. No public exploit code has been identified at time of analysis, and the EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Technical ContextAI

The vulnerability exists in the Request Handling component of Mozilla's browser engines (Firefox/Thunderbird), which implements the Same-Origin Policy (SOP)-a fundamental web security boundary that prevents scripts and requests from one origin from accessing resources of another origin. CWE-346 (Origin Validation Error) indicates the root cause is improper enforcement of origin checks during request processing. The affected products span both release and Extended Support Release (ESR) branches across multiple versions, as indicated by the CPE strings covering Firefox and Thunderbird in both standard and ESR variants. The network vector with no privilege requirements and no user interaction suggests the bypass can be triggered through crafted network requests or malicious web content.

RemediationAI

Vendor-released patch: Firefox 146 (standard), Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146 (standard), and Thunderbird ESR 140.6. Users should immediately update to the patched versions via the automatic update mechanism in Firefox and Thunderbird, or by downloading the latest release from mozilla.org. Organizations managing Firefox/Thunderbird deployments should prioritize ESR branch updates (115.31 or 140.6) depending on their locked ESR track. Detailed patch information and security context are available in Mozilla security advisories at https://www.mozilla.org/security/advisories/mfsa2025-92/, https://www.mozilla.org/security/advisories/mfsa2025-93/, https://www.mozilla.org/security/advisories/mfsa2025-94/, https://www.mozilla.org/security/advisories/mfsa2025-95/, and https://www.mozilla.org/security/advisories/mfsa2025-96/.

Vendor StatusVendor

Share

CVE-2025-14331 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy