CVE-2025-4088 | THREATINT

Description

A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138.

PUBLISHED Reserved 2025-04-29 | Published 2025-04-29 | Updated 2026-04-13 | Assigner mozilla

Product status

138 (rpm)

unaffected

138 (rpm)

unaffected

Credits

Chris P. Fredrickson

References

bugzilla.mozilla.org/show_bug.cgi?id=1953521

www.mozilla.org/security/advisories/mfsa2025-28/

www.mozilla.org/security/advisories/mfsa2025-31/

cve.org (CVE-2025-4088)

nvd.nist.gov (CVE-2025-4088)

Download JSON