CVE-2025-8032

HIGH
2025-07-22 [email protected]
Mozilla Authentication Bypass Thunderbird Redhat Suse
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:40 vuln.today

DescriptionNVD

XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

AnalysisAI

Content Security Policy bypass in Mozilla Firefox and Thunderbird allows remote attackers to circumvent CSP protections via maliciously crafted XSLT documents. The flaw affects Firefox versions prior to 141 and Firefox ESR prior to 128.13/140.1, as well as Thunderbird versions prior to 141 and Thunderbird ESR prior to 128.13/140.1. Attack requires user interaction (visiting a malicious site or opening a malicious email) but no authentication. With CVSS 8.1 (High severity) and documented in six separate Mozilla security advisories, this CSP bypass enables high-impact confidentiality and integrity violations, though no public exploit or active exploitation has been identified at time of analysis.

Technical ContextAI

This vulnerability stems from improper handling of XSLT (Extensible Stylesheet Language Transformations) document loading within Mozilla's browser engine. XSLT is a language for transforming XML documents, commonly used in web applications for data presentation. The flaw maps to CWE-693 (Protection Mechanism Failure), indicating a fundamental failure in enforcing security controls. Content Security Policy is a critical browser security feature that restricts resource loading to prevent XSS and data injection attacks by defining trusted content sources. During XSLT document transformation, the Mozilla browser engine failed to correctly propagate the source document context, which caused the CSP enforcement mechanism to be bypassed. This means that XSLT transformations could load resources from origins that would normally be blocked by the page's CSP directives. The vulnerability affects both Firefox desktop browsers (standard and ESR channels) and Thunderbird email clients (standard and ESR channels), as they share the same underlying Gecko rendering engine.

RemediationAI

Immediately upgrade to patched versions: Firefox 141 or later, Firefox ESR 128.13 or Firefox ESR 140.1 or later, Thunderbird 141 or later, Thunderbird ESR 128.13 or Thunderbird ESR 140.1 or later. Organizations using Extended Support Release channels should prioritize the ESR updates to maintain long-term support while addressing this vulnerability. Detailed update instructions and release notes are available in Mozilla Security Advisories MFSA2025-56, MFSA2025-58, MFSA2025-59, MFSA2025-61, MFSA2025-62, and MFSA2025-63 at https://www.mozilla.org/security/advisories/. For Debian-based Linux distributions, security updates are tracked at https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html. No workarounds are documented; patching is the only reliable mitigation. Organizations should verify successful patch deployment by checking browser/email client version numbers in About dialogs and ensure enterprise deployment mechanisms push updates to all endpoints.

Vendor StatusVendor

Share

CVE-2025-8032 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy