CVE-2025-4088Cross-Site Request Forgery in Mozilla Firefox

CWE-352Cross-Site Request ForgeryCWE-601Open RedirectCWE-401Missing Release of Memory after Effective Lifetime10 documents9 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 69.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxMozilla Thunderbird
Timeline
PublishedApr 29
Latest updateFeb 2

Description

A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

NVDmozilla/thunderbird< 138.0
Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1
NVDmozilla/firefox< 138.0

🔴Vulnerability Details

4
GHSA
undici Denial of Service attack via bad certificate data2025-05-15
CVEList
Cross-site request forgery via storage access API redirects2025-04-29
GHSA
GHSA-vvxh-6r52-hj35: A security vulnerability in Firefox allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had2025-04-29
OSV
CVE-2025-4088: A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that2025-04-29

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2026-02-02
Red Hat
firefox: thunderbird: Cross-site request forgery via storage access API redirects2025-04-29
Debian
CVE-2025-4088: firefox - A security vulnerability in Thunderbird allowed malicious sites to use redirects...2025
Mozilla
Mozilla Foundation Security Advisory 2025-31: CVE-2025-4088
Mozilla
Mozilla Foundation Security Advisory 2025-28: CVE-2025-4088
CVE-2025-4088 — Cross-Site Request Forgery in Mozilla | cvebase