Mozilla Thunderbird Security Advisory: UAF, CSP Bypass, DNS Leak (CVE-2025-6424, 6426, 6427, 6429, 6430, 6432)

Critical Vulnerability Information Vulnerability Overview Advisory ID: Mozilla Foundation Security Advisory 2025-54 Affected Product: Thunderbird Fixed Version: Thunderbird 140 Release Date: July 8, 2025 Specific Vulnerability Details 1. CVE-2025-6424: Use-after-free in FontFaceSet - Reporter: Lihua Yan and rwaldhoff (account research team) - Impact: high - Description: A use-after-free in FontFaceSet resulted in a potentially exploitable crash. 2. CVE-2025-6426: The WebCompat WebExtension shipped exposed a persistent UUID - Reporter: Rob Wu - Impact: moderate - Description: An attack on web-connected resources from the WebCompat extension could have obtained a persistent UUID that identified the browser and persisted between restarts and newly installed extensions. 3. CVE-2025-6426: No warning when opening executable terminal files on macOS - Reporter: jankar - Impact: moderate - Description: The executable file for warning did not warn users before opening files with the terminal application. 4. CVE-2025-6427: connect-src Content Security Policy restriction could be bypassed - Reporter: Arantxa Villegas - Impact: moderate - Description: An attacker was able to bypass the connect-src directive of a Content Security Policy by manipulating the URL scheme. 5. CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com - Reporter: Alejandro Kinguera - Impact: moderate - Description: Thunderbird could have incorrectly parsed a URL and rendered it in the wrong context domain when parsing the text specified in an encoding. 6. CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag - Reporter: Dami Batista Positive Technologies - Impact: moderate - Description: When a file download is specified in the Content-Disposition header, that directive is ignored if the server includes a script in an object tag. 7. CVE-2025-6432: DNS Requests leaked outside of a configured SOCKS proxy - Reporter: Alexei - Impact: low - Description: When a secure connection was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS server was not responding. 8. CVE-2025-6433: WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate - Reporter: Simon - Impact: low - Description: If a secure connection was established with an invalid TLS certificate and prompted an exception, the webpage was about to provide a WebAuthn challenge that the user would be prompted to confirm. 9. CVE-2025-6435: HTTPS-Only exception screen lacked anti-clickjacking delay - Reporter: heffers & kangal - Impact: low - Description: The exception screen for the HTTPS-Only feature displayed without a noticeable delay on HTTP blocked and anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. 10. CVE-2025-6436: Save as in Devtools could download files without sanitizing the extension - Reporter: Artemis Eustace M.K - Impact: low - Description: If a user saved a response from the network tab in Devtools using the Save As context menu option, the file may not have been saved with the correct file extension. 11. CVE-2025-6436: Memory safety bugs fixed in Firefox 140 and Thunderbird 140 - Reporter: Andrew McCreight, Ondrej Brotina, Beth Reiter-Schreck, the Mozilla Fuzzing Team - Impact: high - Description: Memory safety bugs present in Firefox 140 and Thunderbird 140.

Goal Reached Thanks to every supporter — we hit 100%!

Mozilla Thunderbird Security Advisory: UAF, CSP Bypass, DNS Leak (CVE-2025-6424, 6426, 6427, 6429, 6430, 6432)

More from this source