CVE-2025-4083

A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1958350
https://www.mozilla.org/security/advisories/mfsa2025-28/
https://www.mozilla.org/security/advisories/mfsa2025-29/
https://www.mozilla.org/security/advisories/mfsa2025-30/
https://www.mozilla.org/security/advisories/mfsa2025-31/
https://www.mozilla.org/security/advisories/mfsa2025-32/

Configurations

No configuration.

History

30 Apr 2025, 14:15

Type	Values Removed	Values Added
CWE		CWE-653
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
Summary		(es) Una vulnerabilidad de aislamiento de procesos en Firefox se originó debido a una gestión inadecuada de las URI de JavaScript, lo que podría permitir que el contenido se ejecutara en el proceso del documento de nivel superior en lugar del marco previsto, lo que podría habilitar un escape de la zona protegida. Esta vulnerabilidad afecta a Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138 y Thunderbird ESR < 128.10.

29 Apr 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-29 14:15

Updated : 2025-04-30 14:15

NVD link : CVE-2025-4083

Mitre link : CVE-2025-4083

CVE.ORG link : CVE-2025-4083

JSON object : View

Products Affected

No product.

CWE

CWE-653

Improper Isolation or Compartmentalization

{"id": "CVE-2025-4083", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2025-04-29T14:15:35.003", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1958350", "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-28/", "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-29/", "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-30/", "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-31/", "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-32/", "source": "security@mozilla.org"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-653"}]}], "descriptions": [{"lang": "en", "value": "A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10."}, {"lang": "es", "value": "Una vulnerabilidad de aislamiento de procesos en Firefox se origin\u00f3 debido a una gesti\u00f3n inadecuada de las URI de JavaScript, lo que podr\u00eda permitir que el contenido se ejecutara en el proceso del documento de nivel superior en lugar del marco previsto, lo que podr\u00eda habilitar un escape de la zona protegida. Esta vulnerabilidad afecta a Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138 y Thunderbird ESR < 128.10."}], "lastModified": "2025-04-30T14:15:30.400", "sourceIdentifier": "security@mozilla.org"}