Mozilla Foundation Security Advisory 2025-23

Security Vulnerabilities fixed in Thunderbird 137

Announced

April 1, 2025

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 137

#CVE-2025-3028: Use-after-free triggered by XSLTProcessor

Reporter: Ivan Fratric of Google Project Zero
Impact: high

Description

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free.

References

Bug 1941002

#CVE-2025-3031: JIT optimization bug with different stack slot sizes

Reporter: anbu
Impact: moderate

Description

An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function.

References

Bug 1947141

#CVE-2025-3032: Leaking file descriptors from the fork server

Reporter: Thinker Li
Impact: moderate

Description

Leaking of file descriptors from the fork server to web content processes could allow for privilege escalation attacks.

References

Bug 1949987

#CVE-2025-3029: URL bar spoofing via non-BMP Unicode characters

Reporter: Renwa Hiwa
Impact: moderate

Description

A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack.

References

Bug 1952213

#CVE-2025-3033: Opening local .url files could lead to another file being opened

Reporter: Ameen Basha M K
Impact: low

Description

After selecting a malicious Windows .url shortcut from the local filesystem, an unexpected file could be uploaded.
This bug only affects Thunderbird on Windows. Other operating systems are unaffected.

References

Bug 1950056

#CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9

Reporter: Sylvestre Ledru, Paul Bone and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9

#CVE-2025-3034: Memory safety bugs fixed in Firefox 137 and Thunderbird 137

Reporter: Andrew McCreight and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 137 and Thunderbird 137

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog