How to fix CVE-2025-8030?

Within 24 hours: Identify Firefox and Thunderbird deployment scope across the organization and confirm current versions in use. Within 7 days: Deploy Firefox version 141 or later and Thunderbird version 141 or later; for ESR variants, update to Firefox ESR 128.13, 140.1 or later and Thunderbird ESR 128.13, 140.1 or later. Within 30 days: Confirm patch deployment via endpoint management tools and provide user awareness communication warning against pasting copied cURL commands from untrusted sources directly into terminals without review.

Is Thunderbird affected by CVE-2025-8030?

Firefox and Thunderbird's 'Copy as cURL' feature contains a command injection vulnerability that could allow attackers to execute arbitrary commands on user systems through socially engineered network requests.

CVE-2025-8030

HIGH

2025-07-22 [email protected]

Mozilla RCE Code Injection Thunderbird

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 13, 2026 - 15:40 vuln.today

DescriptionNVD

Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

AnalysisAI

Firefox and Thunderbird's 'Copy as cURL' feature improperly escapes shell metacharacters, allowing remote attackers to trick users into executing arbitrary commands when pasting copied network requests into a terminal. Affects Firefox <141, Firefox ESR <128.13/140.1, and Thunderbird <141, <128.13/140.1. Vendor-released patches available across all affected branches. CVSS 8.1 with network attack vector requiring user interaction; no public exploit identified at time of analysis. EPSS data not provided but social engineering dependency limits automated exploitation risk.

Technical ContextAI

This vulnerability (CWE-94: Improper Control of Generation of Code) stems from insufficient sanitization in Mozilla's developer tools 'Copy as cURL' functionality, which converts browser network requests into command-line cURL syntax. When a user copies a malicious HTTP request (crafted by an attacker-controlled server or injected via XSS) and pastes the generated cURL command into a shell, unescaped shell metacharacters (such as backticks, dollar signs, semicolons, or pipe operators) embedded in HTTP headers, parameters, or URLs can break out of the intended cURL context and execute arbitrary system commands. The CPE data confirms impact across Mozilla Firefox (standard and ESR channels versions <141, <128.13, <140.1) and Thunderbird (standard and ESR versions <141, <128.13, <140.1), spanning both the email client and web browser product lines that share the underlying Gecko codebase and developer tooling infrastructure.

RemediationAI

Upgrade to patched versions immediately: Firefox 141 or later, Firefox ESR 128.13/140.1 or later, Thunderbird 141 or later, or Thunderbird ESR 128.13/140.1 or later. Mozilla has released fixes across all affected product branches as documented in security advisories MFSA2025-56, MFSA2025-58, MFSA2025-59, MFSA2025-61, MFSA2025-62, and MFSA2025-63 available at https://www.mozilla.org/security/advisories/. Organizations using Firefox/Thunderbird ESR should apply the ESR-specific patches (128.13 or 140.1 depending on deployed ESR track). As a procedural workaround until patching, security teams should advise developers to manually review and sanitize all cURL commands generated from browser developer tools before execution, particularly when analyzing untrusted websites or debugging third-party integrations. Consider implementing organizational policies requiring paste-blocking terminal configurations or wrapper scripts that validate cURL syntax before execution in high-security development environments.

CVE-2025-8030 vulnerability details – vuln.today

Back