CVE-2025-4087: Vulnerability in Mozilla Firefox
A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10.
AI Analysis
Technical Summary
CVE-2025-4087 is a vulnerability identified in Mozilla Firefox and Thunderbird where XPath parsing lacks proper null checks during attribute access. This flaw can trigger undefined behavior resulting in out-of-bounds read access and potential memory corruption. The vulnerability is classified under CWE-125 (Out-of-bounds Read). It affects Firefox and Thunderbird versions prior to Firefox 138 and Thunderbird 138, including Firefox ESR 128.9 and Thunderbird 128.9. The issue has been addressed and fixed in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10. The CVSS v3.1 base score is 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and low confidentiality and integrity impact with no availability impact. No exploits are known to be active in the wild.
Potential Impact
The vulnerability allows an attacker to cause out-of-bounds read access and potentially memory corruption through unsafe attribute access during XPath parsing. This could lead to partial confidentiality and integrity impacts. However, the attack complexity is high and no privileges or user interaction are required. There are no reports of active exploitation in the wild. The vulnerability does not affect availability.
Mitigation Recommendations
This vulnerability has been fixed by Mozilla in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10. Users and administrators should apply these official updates to remediate the issue. No additional mitigation steps are required beyond updating to the fixed versions.
CVE-2025-4087: Vulnerability in Mozilla Firefox
Description
A vulnerability was identified in Thunderbird where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-4087 is a vulnerability identified in Mozilla Firefox and Thunderbird where XPath parsing lacks proper null checks during attribute access. This flaw can trigger undefined behavior resulting in out-of-bounds read access and potential memory corruption. The vulnerability is classified under CWE-125 (Out-of-bounds Read). It affects Firefox and Thunderbird versions prior to Firefox 138 and Thunderbird 138, including Firefox ESR 128.9 and Thunderbird 128.9. The issue has been addressed and fixed in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10. The CVSS v3.1 base score is 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and low confidentiality and integrity impact with no availability impact. No exploits are known to be active in the wild.
Potential Impact
The vulnerability allows an attacker to cause out-of-bounds read access and potentially memory corruption through unsafe attribute access during XPath parsing. This could lead to partial confidentiality and integrity impacts. However, the attack complexity is high and no privileges or user interaction are required. There are no reports of active exploitation in the wild. The vulnerability does not affect availability.
Mitigation Recommendations
This vulnerability has been fixed by Mozilla in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10. Users and administrators should apply these official updates to remediate the issue. No additional mitigation steps are required beyond updating to the fixed versions.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mozilla
- Date Reserved
- 2025-04-29T13:13:41.617Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9839c4522896dcbecce3
Added to database: 5/21/2025, 9:09:13 AM
Last enriched: 4/14/2026, 11:46:49 AM
Last updated: 5/8/2026, 8:57:37 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.