CVE-2025-4087 – This vulnerability in Thunderbird and Firefox a... (How to Fix)

Q: How do I fix CVE-2025-4087?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart application when prompted.

Q: What is the severity of CVE-2025-4087?

CVE-2025-4087 has a CVSS score of 4.8 (MEDIUM). This vulnerability in Thunderbird and Firefox allows attackers to trigger undefined behavior through XPath parsing, potentially leading to out-of-bounds memory reads and memory corruption. It affects users running vulnerable versions of Firefox, Firefox ESR, and Thunderbird. Successful exploitation could allow attackers to read sensitive memory contents or potentially execute arbitrary code.

📋 TL;DR

This vulnerability in Thunderbird and Firefox allows attackers to trigger undefined behavior through XPath parsing, potentially leading to out-of-bounds memory reads and memory corruption. It affects users running vulnerable versions of Firefox, Firefox ESR, and Thunderbird. Successful exploitation could allow attackers to read sensitive memory contents or potentially execute arbitrary code.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird

Versions: Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, Thunderbird < 128.10

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Memory corruption leading to arbitrary code execution, potentially allowing full system compromise through malicious email or web content.

🟠

Likely Case

Application crash (denial of service) or limited information disclosure through out-of-bounds memory reads.

🟢

If Mitigated

No impact if systems are patched or if email/web content filtering blocks malicious payloads.

🌐 Internet-Facing: MEDIUM - Exploitation requires user interaction (opening malicious email/web content), but widespread email clients increase attack surface.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing emails or compromised internal web applications.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious email or visiting malicious website). No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 138+, Firefox ESR 128.10+, Thunderbird 138+, Thunderbird 128.10+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-28/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart application when prompted.

🔧 Temporary Workarounds

Disable JavaScript in Thunderbird

all

Prevents execution of malicious XPath payloads in email content

In Thunderbird: Tools → Options → Advanced → General → Config Editor → search for 'javascript.enabled' → set to false

🧯 If You Can't Patch

Implement email content filtering to block malicious HTML/XML attachments
Restrict user access to untrusted websites and educate users about phishing risks

🔍 How to Verify

Check if Vulnerable:

Check application version in About dialog: Firefox/Thunderbird → Help → About

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Verify version is Firefox 138+, Firefox ESR 128.10+, Thunderbird 138+, or Thunderbird 128.10+

📡 Detection & Monitoring

Log Indicators:

Application crash logs with XPath-related stack traces
Unexpected memory access errors in system logs

Network Indicators:

Unusual email attachments with XML/HTML content
Suspicious web requests containing XPath expressions

SIEM Query:

source="*firefox*" OR source="*thunderbird*" AND (event="crash" OR error="memory" OR error="xpath")

📊 Metadata

CVE ID: CVE-2025-4087

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-125

EPSS Score: 0.12% exploit probability (31.1th percentile)

Published: April 29, 2025

Last Updated: November 3, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1952465 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-28/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-29/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-31/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-32/ Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00024.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4087, you might also want to check these: