CVE-2025-0237 | THREATINT

Description

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

PUBLISHED Reserved 2025-01-06 | Published 2025-01-07 | Updated 2025-11-03 | Assigner mozilla

Problem types

WebChannel APIs susceptible to confused deputy attack

Product status

Any version before 134

affected

Any version before 128.6

affected

Any version before 134

affected

Any version before 128.6

affected

Credits

Andrew McCreight

References

lists.debian.org/debian-lts-announce/2025/01/msg00004.html

bugzilla.mozilla.org/show_bug.cgi?id=1915257

www.mozilla.org/security/advisories/mfsa2025-01/

www.mozilla.org/security/advisories/mfsa2025-02/

www.mozilla.org/security/advisories/mfsa2025-04/

www.mozilla.org/security/advisories/mfsa2025-05/

cve.org (CVE-2025-0237)

nvd.nist.gov (CVE-2025-0237)

Download JSON

help @ threatint.eu