CVE-2025-8038 — Insufficient Verification of Data Authenticity in Mozilla Firefox

CWE-345 — Insufficient Verification of Data Authenticity11 documents8 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 83.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedJul 22

Latest updateFeb 2

Description

Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDmozilla/thunderbird< 140.1.0+1

▶Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1

▶NVDmozilla/firefox< 140.1.0+1

🔴Vulnerability Details

CVEList

CSP frame-src was not correctly enforced for paths↗2025-07-22

▶

OSV

CVE-2025-8038: Thunderbird ignored paths when checking the validity of navigations in a frame↗2025-07-22

▶

GHSA

GHSA-cv9p-3pfj-w864: Thunderbird ignored paths when checking the validity of navigations in a frame↗2025-07-22

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Red Hat

firefox: thunderbird: CSP frame-src was not correctly enforced for paths↗2025-07-22

▶

Debian

CVE-2025-8038: firefox - Thunderbird ignored paths when checking the validity of navigations in a frame. ...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-61: CVE-2025-8038↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-59: CVE-2025-8038↗

▶