CVE-2025-4083Improper Isolation or Compartmentalization in Mozilla Firefox

CWE-653Improper Isolation or Compartmentalization12 documents8 sources
Severity
9.1CRITICALNVD
EPSS
0.4%
top 38.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedApr 29
Latest updateJul 22

Description

A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

NVDmozilla/firefox128.0128.10+2
NVDmozilla/thunderbird< 128.10.0+1
Debianmozilla/thunderbird< 1:128.10.1esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-v4qx-h7r5-6qc8: A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level2025-04-29
OSV
CVE-2025-4083: A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-l2025-04-29
CVEList
Process isolation bypass using "javascript:" URI links in cross-origin frames2025-04-29

📋Vendor Advisories

8
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames2025-04-29
Debian
CVE-2025-4083: firefox - A process isolation vulnerability in Thunderbird stemmed from improper handling ...2025
Mozilla
Mozilla Foundation Security Advisory 2025-31: CVE-2025-4083
Mozilla
Mozilla Foundation Security Advisory 2025-32: CVE-2025-4083
CVE-2025-4083 — Mozilla Firefox vulnerability | cvebase