CVE-2025-4083

Public on 2025-04-29
Modified on 2025-05-01
Description
A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10.
Severity
Important severity
Important
CVSS v3 Base Score
8.8
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
HAQM Linux 2 - Firefox Extra firefox 2025-05-21 ALAS2FIREFOX-2025-038 Fixed
HAQM Linux 2023 firefox 2025-05-21 ALAS2023-2025-976 Fixed
HAQM Linux 2 - Core thunderbird 2025-05-21 ALAS2-2025-2858 Fixed

CVSS Scores

Score Type Score Vector
HAQM Linux CVSSv3 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD CVSSv3 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N