CVE-2025-0237Incorrect Authorization in Mozilla Firefox

CWE-863Incorrect AuthorizationCWE-441Confused Deputy14 documents9 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 69.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedJan 7
Latest updateApr 15

Description

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

NVDmozilla/firefox< 128.6.0+1
NVDmozilla/thunderbird129.0134.0+1
Ubuntumozilla/firefox< 134.0+build1-0ubuntu0.20.04.1
Debianmozilla/thunderbird< 1:128.6.0esr-1~deb11u1+3

🔴Vulnerability Details

5
VulDB
Mozilla Firefox up to 133.x WebChannel API authorization (Nessus ID 213532)2026-04-15
OSV
firefox vulnerabilities2025-01-09
GHSA
GHSA-2776-h8x3-vrr7: The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the princ2025-01-07
CVEList
WebChannel APIs susceptible to confused deputy attack2025-01-07
OSV
CVE-2025-0237: The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the princ2025-01-07

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2026-02-02
Ubuntu
Firefox vulnerabilities2025-01-09
Red Hat
firefox: thunderbird: WebChannel APIs susceptible to confused deputy attack2025-01-07
Debian
CVE-2025-0237: firefox - The WebChannel API, which is used to transport various information across proces...2025
Mozilla
Mozilla Foundation Security Advisory 2025-01: CVE-2025-0237
CVE-2025-0237 — Incorrect Authorization in Mozilla | cvebase