CVE-2025-8036

HIGH
2025-07-22 [email protected]
Mozilla Information Disclosure Thunderbird Redhat Suse
8.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:41 vuln.today

DescriptionNVD

Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

AnalysisAI

DNS rebinding attacks can bypass Cross-Origin Resource Sharing (CORS) protections in Mozilla Firefox and Thunderbird due to improper cache invalidation of CORS preflight responses when target IP addresses change. Remote attackers can exploit this via malicious websites to access confidential cross-origin data without user authentication (CVSS: PR:N, UI:R). No public exploit identified at time of analysis, though CERT VU#652514 provides technical disclosure. EPSS data not provided, but the combination of network-accessible attack vector, low complexity, and no required privileges warrants attention for organizations using affected Mozilla products.

Technical ContextAI

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that uses HTTP preflight requests (OPTIONS method) to validate whether cross-origin requests are permitted. Per CWE-350 (Reliance on Reverse DNS Resolution for Security Decision), this vulnerability stems from Mozilla's improper handling of cached CORS preflight responses when DNS records change to point to different IP addresses-a technique known as DNS rebinding. Browsers should invalidate CORS cache entries when the resolved IP address changes, but affected Firefox (versions prior to 141 regular, 140.1 ESR) and Thunderbird (versions prior to 141 regular, 140.1 ESR) retained stale preflight approval even after DNS resolution returned a different IP. This allows an attacker controlling DNS for a domain to first pass CORS checks legitimately, then rebind the domain to a victim's internal IP address while the browser still honors the cached approval, effectively bypassing same-origin policy protections for requests to the new target.

RemediationAI

Vendor-released patches available: upgrade Firefox regular channel to version 141 or later, Firefox ESR to version 140.1 or later, Thunderbird regular channel to version 141 or later, or Thunderbird ESR to version 140.1 or later. Download updates through Mozilla's official channels or enable automatic updates in browser/email client settings. Mozilla security advisories at https://www.mozilla.org/security/advisories/mfsa2025-56/, https://www.mozilla.org/security/advisories/mfsa2025-59/, https://www.mozilla.org/security/advisories/mfsa2025-61/, and https://www.mozilla.org/security/advisories/mfsa2025-63/ provide release-specific guidance. No workarounds identified; patching is the definitive remediation. Enterprise deployments should test updated versions in staging environments before broad rollout, prioritizing internet-facing users and systems with access to sensitive internal resources.

Vendor StatusVendor

Share

CVE-2025-8036 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy