Skip to main content

Thunderbird CVE-2025-8037

CRITICAL
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
2025-07-22 security@mozilla.org
Critical
Disputed · 9.1 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
SUSE
CRITICAL
qualitative
Red Hat
6.1 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:41 vuln.today

DescriptionCVE.org

Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the Secure attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

AnalysisAI

Cookie shadowing in Mozilla Firefox (versions prior to 141 and ESR prior to 140.1) and Thunderbird (versions prior to 141 and ESR prior to 140.1) allows remote unauthenticated attackers to bypass Secure cookie protections and access or modify session data. A nameless cookie containing an equals sign set over insecure HTTP can override cookies with the Secure attribute, enabling session hijacking or authentication bypass. No public exploit identified at time of analysis, though the attack complexity is low (CVSS AC:L) with network-based attack vector requiring no user interaction.

Technical ContextAI

This vulnerability exploits cookie parsing logic in Mozilla's network stack (CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute). The core issue involves how Firefox and Thunderbird handle malformed cookies: specifically, nameless cookies (cookies without a name before the equals sign) that contain an equals sign in their value portion. Due to incorrect precedence handling in the cookie jar implementation, these malformed cookies can shadow legitimate cookies even when the legitimate cookie includes security attributes like 'Secure' (which should restrict the cookie to HTTPS-only transmission). The vulnerability affects both Firefox ESR (Extended Support Release) and standard release channels, as well as Thunderbird email client which shares Mozilla's networking code. The CPE strings identify affected products as mozilla:firefox (both standard and ESR builds) and mozilla:thunderbird (both standard and ESR builds), all versions prior to the January 2025 patches.

RemediationAI

Vendor-released patches are available: upgrade Firefox to version 141 or later, Firefox ESR to version 140.1 or later, Thunderbird to version 141 or later, or Thunderbird ESR to version 140.1 or later. Organizations should prioritize immediate deployment of these updates through existing patch management systems, particularly for Firefox ESR and Thunderbird ESR channels commonly used in enterprise environments. No effective workarounds exist beyond upgrading, as the vulnerability resides in core cookie handling logic that cannot be disabled without breaking legitimate functionality. Detailed advisory information and download links are available at Mozilla Security Advisories MFSA2025-56, MFSA2025-59, MFSA2025-61, and MFSA2025-63 (https://www.mozilla.org/security/advisories/). System administrators should verify successful update deployment and confirm running patched versions through browser/client version checks.

CVE-2024-4367 HIGH POC
8.8 May 14

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Th

CVE-2026-2796 CRITICAL POC
9.8 Feb 24

JIT miscompilation in Firefox WebAssembly before 148. The JIT compiler generates incorrect Wasm code, enabling type conf

CVE-2025-8043 CRITICAL POC
9.8 Jul 22

Firefox and Thunderbird URL truncation flaw enables spoofing attacks by displaying misleading origins in the address bar

CVE-2026-2761 CRITICAL
10.0 Feb 24

Second sandbox escape in Firefox WebRender component. CVSS 10.0 — independent path from CVE-2026-2760 to escape the cont

CVE-2026-2768 CRITICAL
10.0 Feb 24

Sandbox escape via IndexedDB in Firefox before 148 and Thunderbird. CVSS 10.0 — the Storage: IndexedDB component allows

CVE-2026-2778 CRITICAL
10.0 Feb 24

Sandbox escape via DOM Core & HTML component in Firefox before 148. CVSS 10.0 — fifth sandbox escape in this release.

CVE-2026-2776 CRITICAL
10.0 Feb 24

Sandbox escape via Telemetry component in Firefox external software before 148. CVSS 10.0 — fourth sandbox escape in thi

CVE-2026-2760 CRITICAL
10.0 Feb 24

Sandbox escape via boundary violation in Firefox WebRender graphics component. CVSS 10.0 — allows escaping the content s

CVE-2026-0881 CRITICAL
10.0 Jan 13

Firefox Messaging System component has a sandbox escape vulnerability. Maximum CVSS 10.0 with scope change. Affects Fire

CVE-2025-14324 CRITICAL
9.8 Dec 09

JIT compiler miscompilation in Mozilla's JavaScript engine allows remote code execution without authentication in Firefo

CVE-2025-14330 CRITICAL
9.8 Dec 09

Just-In-Time (JIT) compilation flaws in Mozilla's JavaScript engine allow unauthenticated remote attackers to achieve ar

CVE-2025-14321 CRITICAL
9.8 Dec 09

Remote code execution via use-after-free in Mozilla Firefox and Thunderbird WebRTC signaling allows unauthenticated netw

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production Affected
Image SLES15-SP4-SAP-Azure-LI-BYOS Image SLES15-SP4-SAP-Azure-LI-BYOS-Production Image SLES15-SP4-SAP-Azure-VLI-BYOS Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production Affected
Image SLES15-SP5-SAP-Azure-LI-BYOS Image SLES15-SP5-SAP-Azure-LI-BYOS-Production Image SLES15-SP5-SAP-Azure-VLI-BYOS Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production Affected
Image SLES15-SP6-SAP-Azure-LI-BYOS Image SLES15-SP6-SAP-Azure-LI-BYOS-Production Image SLES15-SP6-SAP-Azure-VLI-BYOS Image SLES15-SP6-SAP-Azure-VLI-BYOS-Production Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production Affected
SUSE Enterprise Storage 7.1 Fixed

Share

CVE-2025-8037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy