CVE-2025-5266 is a medium-severity vulnerability affecting Mozilla Firefox versions prior to 139 and Firefox ESR versions prior to 128.11, as well as Thunderbird versions prior to 139 and ESR versions prior to 128.11. The vulnerability arises from the way script elements handle cross-origin resource loading events. Specifically, script elements that load resources from different origins generate load and error events that can be observed by the attacker. This behavior leaks information about the status of cross-origin resources, enabling Cross-Site Leaks (XS-Leaks) attacks. XS-Leaks are a class of side-channel attacks that exploit browser behavior to infer sensitive information about a user's interactions or data on other origins without direct access. In this case, the leakage of load and error events allows an attacker-controlled script to determine whether a cross-origin resource was successfully loaded or failed, potentially revealing sensitive information such as user authentication status, existence of resources, or other private data. The vulnerability does not require any user interaction or authentication and can be exploited remotely via a malicious website. The CVSS v3.1 base score is 6.5, reflecting a network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and low impact on confidentiality and integrity, with no impact on availability. No known exploits are currently reported in the wild, and no official patches or mitigation links were provided at the time of publication. The underlying weakness corresponds to CWE-200 (Information Exposure).

For European organizations, this vulnerability poses a moderate risk primarily related to information disclosure. Attackers can leverage this flaw to perform XS-Leaks attacks that may reveal sensitive information about users' browsing activities, authentication states, or the presence of internal resources accessible via Firefox or Thunderbird clients. This can facilitate targeted phishing, social engineering, or further exploitation by revealing internal network structures or user privileges. Organizations handling sensitive data, such as financial institutions, healthcare providers, and government agencies, are particularly at risk of indirect compromise through information leakage. While the vulnerability does not allow direct code execution or system compromise, the confidentiality breach can undermine privacy regulations such as GDPR, potentially leading to regulatory penalties and reputational damage. The lack of required user interaction or authentication increases the risk of widespread exploitation, especially in environments where Firefox or Thunderbird are widely used without timely updates.

European organizations should prioritize updating Mozilla Firefox and Thunderbird to versions 139 or later (or ESR 128.11 or later) as soon as updates become available. Until patches are applied, organizations can implement Content Security Policy (CSP) headers to restrict the loading of cross-origin scripts from untrusted domains, thereby limiting the attack surface. Network-level controls such as web filtering and DNS restrictions can block access to known malicious domains that might attempt exploitation. Security teams should monitor network traffic for unusual cross-origin requests and anomalous event patterns indicative of XS-Leaks attempts. User awareness training should emphasize the risks of visiting untrusted websites, especially when using vulnerable browser versions. Additionally, organizations can consider deploying browser isolation technologies or using alternative browsers not affected by this vulnerability for high-risk users. Regular vulnerability scanning and asset inventory updates will help identify and remediate affected systems promptly.