CVE-2025-3877Sensitive Information Exposure in Mozilla Firefox

CWE-200Sensitive Information Exposure3 documents2 sources
Severity
6.5HIGH
No vector
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedMay 14

Description

A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing

Affected Packages1 packages

mozillamozilla/firefox

🔴Vulnerability Details

1
GHSA
GHSA-69m9-2g5j-9m4h: A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of2025-05-14

📋Vendor Advisories

2
Mozilla
Mozilla Foundation Security Advisory 2025-34: CVE-2025-3877
Mozilla
Mozilla Foundation Security Advisory 2025-35: CVE-2025-3877