Description
The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
Published: 2025-01-07
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from the WebChannel API not validating the sending principal before accepting it, allowing a process to impersonate another and gain elevated privileges. This flaw classifies as a confused‑deputy attack and is mapped to CWE‑441 and CWE‑863. An attacker could exploit the flaw to broaden the access scope of a less privileged process, potentially compromising confidential data or enabling further attacks.

Affected Systems

Mozilla Firefox, including ESR releases, and Mozilla Thunderbird are affected when running versions prior to Firefox 134 / ESR 128.6 and Thunderbird 134 / ESR 128.6. The issue appears in installations on various operating systems, as indicated by the Red Hat Enterprise Linux CPE entries, but the fix applies to all supported platforms.

Risk and Exploitability

The CVSS score of 5.4 suggests moderate severity while the EPSS score of < 1 % reflects a low likelihood of exploitation at present. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation would involve sending malicious messages through the WebChannel API to a target process, a scenario that typically requires local user interaction or an existing compromise of the sending process.

Generated by OpenCVE AI on April 20, 2026 at 18:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 134 or newer, and for ESR users, ensure ESR 128.6 or later is installed.
  • Update Mozilla Thunderbird to version 134 or newer, and for ESR users, ensure ESR 128.6 or later is installed.
  • If updates cannot be applied immediately, consider disabling or restricting the WebChannel API or applying sandboxing measures to isolate the affected processes, and monitor for anomalous inter‑process activity.

Generated by OpenCVE AI on April 20, 2026 at 18:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4011-1 firefox-esr security update
Debian DLA Debian DLA DLA-4012-1 thunderbird security update
Debian DSA Debian DSA DSA-5839-1 firefox-esr security update
Debian DSA Debian DSA DSA-5841-1 thunderbird security update
EUVD EUVD EUVD-2025-1569 The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.
Ubuntu USN Ubuntu USN USN-7191-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
Title firefox: thunderbird: WebChannel APIs susceptible to confused deputy attack WebChannel APIs susceptible to confused deputy attack

Mon, 03 Nov 2025 23:30:00 +0000

Type Values Removed Values Added
References

Thu, 03 Apr 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Thu, 13 Feb 2025 01:00:00 +0000

Type Values Removed Values Added
Title firefox: WebChannel APIs susceptible to confused deputy attack firefox: thunderbird: WebChannel APIs susceptible to confused deputy attack
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.6

Mon, 13 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Description The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird ESR < 128.6. The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

Thu, 09 Jan 2025 14:00:00 +0000

Type Values Removed Values Added
Title firefox: WebChannel APIs susceptible to confused deputy attack
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
Weaknesses CWE-441
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_tus:8.4
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 09 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird ESR < 128.6.
References

Wed, 08 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Description The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:59.516Z

Reserved: 2025-01-06T14:48:59.270Z

Link: CVE-2025-0237

cve-icon Vulnrichment

Updated: 2025-11-03T22:33:35.989Z

cve-icon NVD

Status : Modified

Published: 2025-01-07T16:15:38.323

Modified: 2026-04-13T15:16:32.097

Link: CVE-2025-0237

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-07T16:07:05Z

Links: CVE-2025-0237 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses