Login Sign Up

CVE-2023-25729

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows Firefox/Thunderbird extensions to bypass permission prompts when opening external schemes (like file://, mailto:, etc.), enabling them to automatically download files or interact with installed software without user consent. It affects users running Firefox versions below 110, Thunderbird below 102.8, and Firefox ESR below 102.8.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
  • Mozilla Firefox ESR
Versions: Firefox < 110, Thunderbird < 102.8, Firefox ESR < 102.8
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. Requires malicious extension installation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious extension could automatically download and execute malware, steal files, or interact with other applications to compromise the entire system.

🟠

Likely Case

Malicious extension could download unwanted files, open phishing links, or trigger unwanted application behavior without user awareness.

🟢

If Mitigated

With proper extension vetting and user caution, impact is limited to unwanted file downloads or application launches.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user to install a malicious extension, but once installed, no further user interaction is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 110+, Thunderbird 102.8+, Firefox ESR 102.8+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2023-05/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to latest version. 4. Restart browser when prompted.

🔧 Temporary Workarounds

Disable unnecessary extensions

all

Remove or disable extensions that aren't essential, especially from untrusted sources.

Use extension allowlisting

all

Configure browser to only allow approved extensions from trusted sources.

🧯 If You Can't Patch

  • Restrict installation of browser extensions to trusted sources only.
  • Monitor for unexpected file downloads or external application launches.

🔍 How to Verify

Check if Vulnerable:

Check browser version in About dialog. If Firefox < 110, Thunderbird < 102.8, or Firefox ESR < 102.8, system is vulnerable.

Check Version:

firefox --version (Linux) or check About Firefox in GUI

Verify Fix Applied:

Confirm version is Firefox ≥ 110, Thunderbird ≥ 102.8, or Firefox ESR ≥ 102.8 after update.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected external scheme launches (file://, mailto:) without user prompts
  • Extension activity logs showing permission bypass

Network Indicators:

  • Unexpected downloads from browser without user interaction

SIEM Query:

source="browser_logs" AND (event="external_scheme_launch" OR event="permission_bypass")

📊 Metadata

CVE ID: CVE-2023-25729
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-863
Published: June 2, 2023
Last Updated: January 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25729, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)