Mozilla Thunderbird vulnerabilities

CVE-2025-9180 [HIGH] CWE-346 CVE-2025-9180: Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firef Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

CVE-2025-9184 [HIGH] CWE-119 CVE-2025-9184: Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderb

CVE-2025-9181 [MEDIUM] CWE-457 CVE-2025-9181: Uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 142 Uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 142, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

CVE-2025-8037 [CRITICAL] CWE-614 CVE-2025-8037: Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the namel Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

CVE-2025-8028 [CRITICAL] CWE-1332 CVE-2025-8028: On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1

CVE-2025-8031 [CRITICAL] CWE-276 CVE-2025-8031: The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVE-2025-8044 [CRITICAL] CWE-119 CVE-2025-8044: Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141 and Thunderbird 141.

CVE-2025-8038 [CRITICAL] CWE-345 CVE-2025-8038: Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability w Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

CVE-2025-8043 [CRITICAL] CWE-451 CVE-2025-8043: Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerabil Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.

CVE-2025-8040 [HIGH] CWE-119 CVE-2025-8040: Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderb

CVE-2025-8039 [HIGH] CWE-200 CVE-2025-8039: In some cases search terms persisted in the URL bar even after navigating away from the search page. In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

CVE-2025-8034 [HIGH] CWE-119 CVE-2025-8034: Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefo Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed

CVE-2025-8035 [HIGH] CWE-119 CVE-2025-8035: Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunder Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Fir

CVE-2025-8036 [HIGH] CWE-350 CVE-2025-8036: Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CO Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

CVE-2025-8030 [HIGH] CWE-94 CVE-2025-8030: Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into e Insufficient escaping in the “Copy as cURL” feature could potentially be used to trick a user into executing unexpected code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVE-2025-8029 [HIGH] CWE-80 CVE-2025-8029: Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability w Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVE-2025-8032 [HIGH] CWE-693 CVE-2025-8032: XSLT document loading did not correctly propagate the source document which bypassed its CSP. This v XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVE-2025-8027 [MEDIUM] CWE-457 CVE-2025-8027: On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVE-2025-8033 [MEDIUM] CWE-476 CVE-2025-8033: The JavaScript engine did not handle closed generators correctly and it was possible to resume them The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVE-2025-6433 [CRITICAL] CVE-2025-6433: If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the u If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability