Mozilla Products April 2025 Secondary Security Update Advisory

Overview

 

An update has been made available to address a vulnerability in the Mozilla suite (Thunderbird, Thunderbird, and Firefox versions). Users of affected products are advised to update to the latest version.

 

Affected Products

 

Firefox 137.0.2 and earlier

Thunderbird 128.9.2 and earlier

Thunderbird before 137.0.2

 

Resolved Vulnerabilities

 

High-level Race Condition Vulnerability in Firefox (CVE-2025-3608) [3

High-level information disclosure vulnerability in the /tmp directory listing in Thunderbird (CVE-2025-2830) [1], [2]

High-level, crafted attachment URL leakage of hashed Windows credentials in Thunderbird (CVE-2025-3522) [1], [2]

 

Vulnerability Patches

 

The following Vulnerability Patches were made available in the April 15, 2025 Update. For more information on Vulnerability Patches, please refer to the “Mozilla” Referenced Sites documentation.

Thunderbird version 128.9.2

Thunderbird version 137.0.2

Firefox version 137.0.2

 

Referenced Sites

 

[1] Security Vulnerabilities fixed in Thunderbird ESR 128.9.2

https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/

[2] Security Vulnerabilities fixed in Thunderbird 137.0.2

https://www.mozilla.org/en-US/security/advisories/mfsa2025-26/

[3] Security vulnerability fixed in Firefox 137.0.2

https://www.mozilla.org/en-US/security/advisories/mfsa2025-25/

[4] Update Firefox to the latest release

https://support.mozilla.org/ko/kb/update-firefox-latest-release