CVE-2025-4090 — Log File Information Exposure in Mozilla Firefox

CWE-532 — Log File Information Exposure CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121 — Stack-based Buffer Overflow9 documents8 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 48.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedApr 29

Latest updateSep 22

Description

A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability was fixed in Firefox 138 and Thunderbird 138.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDmozilla/thunderbird< 138.0

▶NVDmozilla/firefox< 138.0

🔴Vulnerability Details

GHSA

CodeChecker has a buffer overflow in the log command↗2025-09-22

▶

GHSA

GHSA-63pj-8c5p-x939: A vulnerability existed in Firefox for Android where potentially sensitive library locations were logged via Logcat↗2025-04-29

▶

CVEList

Leaked library paths in Thunderbird for Android↗2025-04-29

▶

OSV

CVE-2025-4090: A vulnerability existed in Firefox for Android where potentially sensitive library locations were logged via Logcat↗2025-04-29

▶

📋Vendor Advisories

Red Hat

firefox: thunderbird: Leaked library paths in Firefox for Android↗2025-04-29

▶

Debian

CVE-2025-4090: firefox - A vulnerability existed in Thunderbird for Android where potentially sensitive l...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-31: CVE-2025-4090↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-28: CVE-2025-4090↗

▶