Firefox/Thunderbird 141 & ESR Security Update: Memory Safety & CSP Bypass Vulnerabilities (CVE-2025-8027 to 8040)

Critical Vulnerability Information Vulnerability IDs and Impact Levels CVE-2025-8027: JavaScript engine only wrote partial return value to stack (Impact: High) CVE-2025-8028: Large branch table could lead to truncated instruction (Impact: High) CVE-2025-8029: JavaScript URLs executed on object and embed tags (Impact: Moderate) CVE-2025-8030: DNS rebinding circumvents cors (Impact: Moderate) CVE-2025-8031: Nameless cookies shadow secure cookies (Impact: Moderate) CVE-2025-8032: Potential user-assisted code execution in "Copy as cURL" command (Impact: Moderate) CVE-2025-8033: Incorrect URL stripping in CSP reports (Impact: Moderate) CVE-2025-8034: XSLT documents could bypass CSP (Impact: Moderate) CVE-2025-8035: CSP frame-src was not correctly enforced for paths (Impact: Low) CVE-2025-8036: Search terms persisted in URL bar (Impact: Low) CVE-2025-8037: Incorrect JavaScript state machine for generators (Impact: Low) CVE-2025-8038: Memory safety bugs fixed in Firefox ESR 118.2.6, Firefox ESR 128.1.3, Thunderbird ESR 128.1.3, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141, and Thunderbird 141 (Impact: High) CVE-2025-8039: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141, and Thunderbird 141 (Impact: High) CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 128.1.3, Thunderbird ESR 128.1.3, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141, and Thunderbird 141 (Impact: High) Affected Products and Versions Thunderbird 140.1 Reporters Reporters for individual vulnerabilities include: PS MOPP, Gary Kwong, David Keeler, Vladimir Vukicevic, Luke Wagner, Tom Schuster, Jon Coppeard, Steve Michaud, David Keeler, Andrew McColm, Aditya Kulkarni, and others. Description Specific descriptions for each vulnerability, such as JavaScript engine issues, DNS rebinding bypassing CORS, memory safety issues, etc.

Goal Reached Thanks to every supporter — we hit 100%!

Firefox/Thunderbird 141 & ESR Security Update: Memory Safety & CSP Bypass Vulnerabilities (CVE-2025-8027 to 8040)

More from this source