CVE-2025-4085 – This vulnerability allows an attacker with cont... (How to Fix)

Q: How do I fix CVE-2025-4085?

1. Open Firefox/Thunderbird. 2. Click the menu button (three horizontal lines). 3. Select Help > About Firefox/Thunderbird. 4. The browser will check for updates and install version 138 if available. 5. Restart the application when prompted.

Q: What is the severity of CVE-2025-4085?

CVE-2025-4085 has a CVSS score of 7.1 (HIGH). This vulnerability allows an attacker with control over a content process to abuse the privileged UITour actor, potentially leading to information disclosure or privilege escalation. It affects users running Firefox versions before 138 and Thunderbird versions before 138. The attacker needs some initial foothold in a content process to exploit this flaw.

📋 TL;DR

This vulnerability allows an attacker with control over a content process to abuse the privileged UITour actor, potentially leading to information disclosure or privilege escalation. It affects users running Firefox versions before 138 and Thunderbird versions before 138. The attacker needs some initial foothold in a content process to exploit this flaw.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Thunderbird

Versions: Firefox < 138, Thunderbird < 138

Operating Systems: Windows, Linux, macOS, All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The attacker needs control over a content process, which could be achieved through other vulnerabilities or malicious web content.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through privilege escalation, allowing execution of arbitrary code with system-level permissions and exfiltration of sensitive user data.

🟠

Likely Case

Information leakage from privileged contexts, potentially exposing browsing history, saved passwords, or other sensitive browser data to the attacker.

🟢

If Mitigated

Limited impact with proper sandboxing and process isolation, potentially only affecting the compromised content process without broader system access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires control over a content process, which adds complexity. No public proof-of-concept has been released as of the advisory dates.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 138, Thunderbird 138

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-28/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click the menu button (three horizontal lines). 3. Select Help > About Firefox/Thunderbird. 4. The browser will check for updates and install version 138 if available. 5. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents malicious web content from gaining control over content processes

about:config > javascript.enabled = false

Enable Enhanced Tracking Protection

all

Reduces exposure to malicious web content

Settings > Privacy & Security > Enhanced Tracking Protection > Strict

🧯 If You Can't Patch

Restrict browser usage to trusted websites only
Implement application whitelisting to prevent execution of older vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird dialog. If version is less than 138, the system is vulnerable.

Check Version:

firefox --version | thunderbird --version

Verify Fix Applied:

Verify version is 138 or higher in About dialog after update and restart.

📡 Detection & Monitoring

Log Indicators:

Unusual UITour API calls from content processes
Privilege escalation attempts in browser logs

Network Indicators:

Suspicious data exfiltration from browser processes

SIEM Query:

process_name IN ('firefox.exe', 'thunderbird.exe') AND event_description CONTAINS 'UITour' AND version < '138'

📊 Metadata

CVE ID: CVE-2025-4085

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-269

EPSS Score: 0.07% exploit probability (20.5th percentile)

Published: April 29, 2025

Last Updated: May 9, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1915280 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-28/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-31/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4085, you might also want to check these: