CVE-2025-4088: Vulnerability in Mozilla Firefox
A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
AI Analysis
Technical Summary
This vulnerability in Mozilla Firefox and Thunderbird allowed malicious websites to leverage redirects to send credentialed requests to arbitrary endpoints on any site that had previously invoked the Storage Access API. This behavior could be exploited to perform cross-site request forgery (CWE-352) attacks across origins. The vulnerability was addressed and fixed in Firefox 138 and Thunderbird 138 releases.
Potential Impact
The vulnerability enables attackers to perform cross-site request forgery attacks by sending credentialed requests via redirects to arbitrary endpoints on sites that have used the Storage Access API. This could lead to unauthorized actions being performed on behalf of the user across different origins. The CVSS v3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity but not availability.
Mitigation Recommendations
This vulnerability has been fixed in Mozilla Firefox 138 and Thunderbird 138. Users and administrators should update to these versions or later to remediate the issue. There is no indication from the vendor advisory that additional mitigation steps are required beyond applying the official fixes.
CVE-2025-4088: Vulnerability in Mozilla Firefox
Description
A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Mozilla Firefox and Thunderbird allowed malicious websites to leverage redirects to send credentialed requests to arbitrary endpoints on any site that had previously invoked the Storage Access API. This behavior could be exploited to perform cross-site request forgery (CWE-352) attacks across origins. The vulnerability was addressed and fixed in Firefox 138 and Thunderbird 138 releases.
Potential Impact
The vulnerability enables attackers to perform cross-site request forgery attacks by sending credentialed requests via redirects to arbitrary endpoints on sites that have used the Storage Access API. This could lead to unauthorized actions being performed on behalf of the user across different origins. The CVSS v3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality and integrity but not availability.
Mitigation Recommendations
This vulnerability has been fixed in Mozilla Firefox 138 and Thunderbird 138. Users and administrators should update to these versions or later to remediate the issue. There is no indication from the vendor advisory that additional mitigation steps are required beyond applying the official fixes.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mozilla
- Date Reserved
- 2025-04-29T13:13:43.020Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9839c4522896dcbecce7
Added to database: 5/21/2025, 9:09:13 AM
Last enriched: 4/14/2026, 11:46:54 AM
Last updated: 5/9/2026, 1:45:44 AM
Views: 79
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.