CVE-2025-13019Permissive Cross-domain Security Policy with Untrusted Domains in Mozilla Firefox

CWE-942Permissive Cross-domain Security Policy with Untrusted DomainsCWE-346Origin Validation Error11 documents8 sources
Severity
8.1HIGHNVD
EPSS
0.0%
top 93.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedNov 11
Latest updateFeb 2

Description

Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDmozilla/firefox< 140.5.0+1
Debianmozilla/thunderbird< 1:140.5.0esr-1~deb11u1+3

🔴Vulnerability Details

3
OSV
CVE-2025-13019: Same-origin policy bypass in the DOM: Workers component2025-11-11
CVEList
Same-origin policy bypass in the DOM: Workers component2025-11-11
GHSA
GHSA-mv5g-cf64-38cv: Same-origin policy bypass in the DOM: Workers component2025-11-11

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2026-02-02
Red Hat
firefox: thunderbird: Same-origin policy bypass in the DOM: Workers component2025-11-11
Debian
CVE-2025-13019: firefox - Same-origin policy bypass in the DOM: Workers component. This vulnerability affe...2025
Mozilla
Mozilla Foundation Security Advisory 2025-91: CVE-2025-13019
Mozilla
Mozilla Foundation Security Advisory 2025-88: CVE-2025-13019
CVE-2025-13019 — Mozilla Firefox vulnerability | cvebase