Mozilla Foundation Security Advisory 2025-24

Security Vulnerabilities fixed in Thunderbird ESR 128.9

Announced

April 1, 2025

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 128.9

#CVE-2025-3028: Use-after-free triggered by XSLTProcessor

Reporter: Ivan Fratric of Google Project Zero
Impact: high

Description

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free.

References

Bug 1941002

#CVE-2025-3029: URL Bar Spoofing via non-BMP Unicode characters

Reporter: Renwa Hiwa
Impact: moderate

Description

A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack.

References

Bug 1952213

#CVE-2025-3030: Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9

Reporter: Sylvestre Ledru, Paul Bone and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog