CVE-2025-8032 — Protection Mechanism Failure in Mozilla Firefox

CWE-693 — Protection Mechanism Failure CWE-377 — Insecure Temporary File14 documents9 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 77.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Mozilla Firefox

Timeline

PublishedJul 22

Latest updateFeb 2

Description

XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶NVDmozilla/firefox140.0 — 140.1.0+2

▶NVDmozilla/thunderbird140.0 — 140.1.0+2

▶Debianmozilla/thunderbird< 1:128.13.0esr-1~deb11u1+3

🔴Vulnerability Details

OSV

CVE-2025-8032: XSLT document loading did not correctly propagate the source document which bypassed its CSP↗2025-07-22

▶

GHSA

GHSA-hxr8-chw2-2wqc: XSLT document loading did not correctly propagate the source document which bypassed its CSP↗2025-07-22

▶

CVEList

XSLT documents could bypass CSP↗2025-07-22

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Red Hat

firefox: thunderbird: XSLT documents could bypass CSP↗2025-07-22

▶

Debian

CVE-2025-8032: firefox - XSLT document loading did not correctly propagate the source document which bypa...↗2025

▶

Microsoft

Local privilege escalation to root due to insecure tmp file usage↗2021-02-09

▶

Mozilla

Mozilla Foundation Security Advisory 2025-63: CVE-2025-8032↗

▶