CVE-2025-8036 is a high-severity vulnerability affecting Mozilla Firefox and Thunderbird versions prior to Firefox 141 and Thunderbird 141 (and their ESR counterparts). The vulnerability arises from Firefox caching Cross-Origin Resource Sharing (CORS) preflight responses across IP address changes. Specifically, when a DNS rebinding attack is performed, an attacker can manipulate the DNS resolution of a domain to point to different IP addresses over time. Because Firefox caches the CORS preflight response without properly validating the IP address consistency, an attacker can bypass the same-origin policy enforced by CORS. This allows malicious web pages to perform unauthorized cross-origin requests, potentially accessing sensitive data or performing actions on behalf of the user without proper authorization. The vulnerability is classified under CWE-350 (Improper Verification of Cryptographic Signature), reflecting the improper validation of CORS preflight responses. The CVSS v3.1 base score is 8.1, indicating a high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact on confidentiality and integrity is high (C:H/I:H), while availability is not impacted (A:N). No known exploits are currently reported in the wild, and no official patches or mitigation links are provided yet. However, the vulnerability poses a significant risk due to the widespread use of Firefox and Thunderbird in both personal and enterprise environments. Attackers exploiting this vulnerability could steal sensitive information or perform unauthorized actions by circumventing CORS protections, which are critical for web security.

For European organizations, this vulnerability could have serious implications. Many enterprises and public sector organizations in Europe rely on Firefox and Thunderbird for daily operations, including accessing internal web applications and handling sensitive communications. An attacker exploiting this vulnerability could bypass CORS restrictions to access internal APIs or data that should be protected by same-origin policies, leading to data breaches or unauthorized actions within corporate networks. This is particularly concerning for sectors with strict data protection requirements such as finance, healthcare, and government. Additionally, since no authentication is required and the attack only requires user interaction (e.g., visiting a malicious website), the attack surface is broad. The confidentiality and integrity of sensitive data could be compromised, potentially violating GDPR regulations and resulting in legal and reputational damage. The lack of availability impact means systems remain operational, but the silent data exfiltration or manipulation risk remains high. Organizations using Firefox ESR versions in managed environments are also at risk, necessitating urgent attention.

European organizations should prioritize updating Firefox and Thunderbird to versions 141 and 140.1 ESR or later as soon as patches become available. Until patches are released, organizations should implement network-level protections such as blocking access to known malicious domains and monitoring DNS rebinding attempts. Web application firewalls (WAFs) can be configured to detect and block suspicious CORS preflight requests or unusual cross-origin traffic patterns. Security teams should educate users about the risks of visiting untrusted websites and consider deploying browser security policies that restrict or disable CORS where feasible. Additionally, internal web applications should implement strict server-side CORS validation and consider additional authentication layers to mitigate unauthorized access even if CORS is bypassed. Monitoring network traffic for anomalies related to DNS rebinding and CORS requests can help detect exploitation attempts. Organizations should also review their incident response plans to address potential data breaches resulting from this vulnerability.