CVE-2025-4086 — User Interface (UI) Misrepresentation of Critical Information in Mozilla Firefox

CWE-451 — User Interface (UI) Misrepresentation of Critical Information8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 52.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedApr 29

Description

A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected.*. This vulnerability was fixed in Firefox 138 and Thunderbird 138.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶NVDmozilla/thunderbird< 138.0

▶NVDmozilla/firefox< 138.0

🔴Vulnerability Details

OSV

CVE-2025-4086: A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download↗2025-04-29

▶

GHSA

GHSA-54jr-pmx4-5pvr: A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download↗2025-04-29

▶

CVEList

Specially crafted filename could be used to obscure download type↗2025-04-29

▶

📋Vendor Advisories

Red Hat

firefox: thunderbird: Specially crafted filename could be used to obscure download type↗2025-04-29

▶

Debian

CVE-2025-4086: firefox - A specially crafted filename containing a large number of encoded newline charac...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-31: CVE-2025-4086↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-28: CVE-2025-4086↗

▶