How to fix CVE-2025-8029?

Within 24 hours: Identify all Firefox and Thunderbird installations across the organization using asset inventory tools; prepare patch deployment plan. Within 7 days: Deploy Firefox 141 or later and Thunderbird 141 or later to all endpoints; prioritize devices with administrative access and those handling sensitive data. Within 30 days: Verify 100% patch compliance; audit and log any Firefox/Thunderbird usage during the vulnerability window (pre-patch period) for potential compromise indicators.

Is Thunderbird affected by CVE-2025-8029?

Firefox and Thunderbird versions prior to 141 contain a high-severity cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript in user browsers and email clients without authentication.

CVE-2025-8029

HIGH

2025-07-22 [email protected]

Mozilla XSS Thunderbird Redhat Suse

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 13, 2026 - 15:40 vuln.today

DescriptionNVD

Thunderbird executed javascript: URLs when used in object and embed tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

AnalysisAI

Mozilla Firefox and Thunderbird execute JavaScript via crafted object/embed tags, enabling remote attackers to achieve high-impact XSS without authentication. Affects Firefox <141, Firefox ESR <128.13/<140.1, and Thunderbird <141/128.13/140.1. Users must visit a malicious page (UI:R), but attack complexity is low (AC:L) and no privileges required (PR:N). Vendor-released patches available across all affected product lines. No public exploit identified at time of analysis, though the attack surface is broad given browser/email client ubiquity.

Vendor StatusVendor

CVE-2025-8029 vulnerability details – vuln.today

Back