CVE-2025-0237

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

Published: Jan 7, 2025
Updated: May 4, 2025
CVE: CVE-2025-0237
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
mozilla / firefox	-	134.0
mozilla / firefox	-	128.6.0
mozilla / thunderbird	-	128.6.0
mozilla / thunderbird	129.0	134.0

https://bugzilla.mozilla.org/show_bug.cgi?id=1915257
https://www.mozilla.org/security/advisories/mfsa2025-01/
https://www.mozilla.org/security/advisories/mfsa2025-02/
https://www.mozilla.org/security/advisories/mfsa2025-04/
https://www.mozilla.org/security/advisories/mfsa2025-05/

Vulnerability Database

289,697

CVE-2025-0237