Skip to main content

Thunderbird CVE-2025-8043

CRITICAL
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2025-07-22 security@mozilla.org
Mozilla Information Disclosure Thunderbird Red Hat Suse
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
6.1 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:41 vuln.today

DescriptionCVE.org

Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.

AnalysisAI

Firefox and Thunderbird URL truncation flaw enables spoofing attacks by displaying misleading origins in the address bar. Affects all Firefox versions prior to 141 and corresponding Thunderbird releases. Attackers can craft URLs that hide the true destination, tricking users into visiting malicious sites. Publicly available exploit code exists. CVSS 9.8 critical rating reflects network-based attack requiring no authentication, though real-world exploitation requires social engineering (user interaction despite UI:N vector).

Technical ContextAI

This vulnerability stems from CWE-451 (User Interface Misrepresentation of Critical Information), specifically in Firefox's URL handling and display logic. The browser's Focus component incorrectly truncates long URLs from the beginning rather than intelligently truncating around the origin portion. This creates a spoofing vector where attackers can construct URLs with padding that push the legitimate (malicious) origin out of view while displaying a trusted-looking beginning. The affected products are Mozilla Firefox (all versions before 141) and Mozilla Thunderbird (version range not specified but synchronized with Firefox ESR releases), as identified by CPE strings cpe:2.3:a:mozilla:firefox and cpe:2.3:a:mozilla:thunderbird. The browser's address bar is a critical security boundary that users rely on to validate site authenticity, making UI misrepresentation in this component particularly dangerous for phishing and credential harvesting attacks.

RemediationAI

Upgrade to Firefox 141 or later immediately to receive the vendor-released patch that corrects URL truncation behavior in the Focus component. For Thunderbird users, update to the corresponding patched release version documented in MFSA2025-56 advisory at https://www.mozilla.org/security/advisories/mfsa2025-56/. Enterprise deployments should prioritize systems used for web browsing and email in high-risk user groups (executives, finance, HR). No effective workaround exists since the flaw is in core URL display logic. Organizations can partially mitigate risk through security awareness training emphasizing verification of full URLs before entering credentials, but technical patching is the only complete remediation. Technical details available in Bugzilla bug 1970209 at https://bugzilla.mozilla.org/show_bug.cgi?id=1970209.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed

Share

CVE-2025-8043 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy