Mozilla Products April 2025 3rd Security Update Advisory

Overview

 

An update has been made available to fix vulnerabilities in the Mozilla suite of products (Thunderbird ESR, Thunderbird, Firefox ESR, Firefox). Users of affected products are advised to update to the latest version.

 

Affected Products

 

Firefox 138 and earlier

Firefox ESR 115.23 and earlier

Firefox ESR 128.10 and earlier

Thunderbird 138 and earlier

Thunderbird ESR 128.10 and earlier

 

Resolved Vulnerabilities

 

Moderate potential local code execution vulnerability in Firefox ESR, Thunderbird ESR (CVE-2025-4084) [1], [3], [4]

A high-level memory safety bug in Firefox ESR and Thunderbird ESR has been fixed (CVE-2025-4093) [1], [4]

High-level privilege escalation vulnerability in Firefox, Firefox ESR, Thunderbird, Thunderbird ESR (CVE-2025-2817) [1], [2], [3], [4], [5]

High-level Memory Corruption Vulnerability in Firefox, Firefox ESR, Thunderbird, Thunderbird ESR (CVE-2025-4082) [1], [2], [3], [4], [5]

High-level Key Information Bypass Vulnerability in Firefox, Firefox ESR, Thunderbird, Thunderbird ESR (CVE-2025-4083) [1], [2], [3], [4], [5]

Moderate Insecure Property Access Vulnerability during XPath Parsing in Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR (CVE-2025-4087) [1], [2], [4], [5]

Moderate Memory Security Verification Error Vulnerability in Firefox, Firefox ESR, Thunderbird, Thunderbird ESR (CVE-2025-4091) [1], [2], [4], [5]

High Level Memory Security Verification Error Vulnerability in Firefox, Thunderbird (CVE-2025-4092) [2], [5]

Moderate Arbitrary File Downloadable Vulnerability in Firefox, Thunderbird (CVE-2025-4086) [2], [5]

Moderate potential local code execution vulnerability in Firefox, Thunderbird (CVE-2025-4089) [2], [5]

Moderate cross-site request forgery vulnerability via storage access API redirection in Firefox, Thunderbird (CVE-2025-4088) [2], [5]

Moderate information leakage vulnerability in the UITour actor function in Firefox and Thunderbird (CVE-2025-4085) [2], [5]

 

Vulnerability Patches

 

The following Vulnerability Patches were made available in the April 29, 2025 update. For more information on Vulnerability Patches, please refer to the “Mozilla” Referenced Sites documentation.

Thunderbird ESR 128.10 version

Thunderbird version 138

Firefox ESR 115.23

Firefox ESR 128.10

Firefox version 138

 

Referenced Sites

 

[1] Security Vulnerabilities fixed in Thunderbird ESR 128.10

https://www.mozilla.org/en-US/security/advisories/mfsa2025-32/

[2] Security Vulnerabilities fixed in Thunderbird 138

https://www.mozilla.org/en-US/security/advisories/mfsa2025-31/

[3] Security Vulnerabilities fixed in Firefox ESR 115.23

https://www.mozilla.org/en-US/security/advisories/mfsa2025-30/

[4] Security Vulnerabilities fixed in Firefox ESR 128.10

https://www.mozilla.org/en-US/security/advisories/mfsa2025-29/

[5] Security Vulnerabilities fixed in Firefox 138

https://www.mozilla.org/en-US/security/advisories/mfsa2025-28/

[6] Update Firefox to the latest release

https://support.mozilla.org/ko/kb/update-firefox-latest-release