Description
Information disclosure in the Networking: Cache component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
Published: 2025-09-16
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A defect in the Networking: Cache component exposes internal cache data, allowing an adversary to read information that should remain confidential. The vulnerability can result in unauthorized disclosure of session data, cached credentials, or other sensitive content stored in the browser or email client. The weakness is a clear case of information exposure (CWE‑200) and directly compromises confidentiality, potentially aiding broader attacks if additional data is leaked.

Affected Systems

Mozilla products are affected. Unpatched versions of Firefox and the ESR branch before 143 and 140.3, respectively, as well as Thunderbird before 143 and 140.3, are vulnerable. The vulnerability is present in the baseline builds that include the Networking: Cache component and has been addressed in the listed fixed releases.

Risk and Exploitability

The CVSS base score of 6.2 indicates medium severity, while the EPSS score of less than 1% shows the likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog, reducing the urgency for zero‑day exploitation. Attackers would need to trigger the vulnerable caching path, which may be local or via crafted network traffic; the description does not state an explicit remote exploitation vector, so the attack surface is considered limited. Patching removes the risk, and in the absence of an immediate fix, monitoring for abnormal cache reads is advised.

Generated by OpenCVE AI on April 20, 2026 at 19:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 143 or newer, or any ESR build 140.3 or newer.
  • Upgrade Mozilla Thunderbird to version 143 or newer, or any ESR build 140.3 or newer.
  • If immediate update is not possible, refrain from storing sensitive data in the cache or disable caching features through application preferences where available.

Generated by OpenCVE AI on April 20, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4305-1 firefox-esr security update
Debian DLA Debian DLA DLA-4311-1 thunderbird security update
Debian DSA Debian DSA DSA-6003-1 firefox-esr security update
Debian DSA Debian DSA DSA-6011-1 thunderbird security update
EUVD EUVD EUVD-2025-29558 This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Information disclosure in the Networking: Cache component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. Information disclosure in the Networking: Cache component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. Information disclosure in the Networking: Cache component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Title firefox: thunderbird: Information disclosure in the Networking: Cache component Information disclosure in the Networking: Cache component

Mon, 22 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Thu, 18 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Information disclosure in the Networking: Cache component
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Tue, 16 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Sep 2025 15:00:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143 and Firefox ESR < 140.3. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 16 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143 and Firefox ESR < 140.3.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:24.046Z

Reserved: 2025-09-16T06:48:50.429Z

Link: CVE-2025-10536

cve-icon Vulnrichment

Updated: 2025-11-03T18:08:36.559Z

cve-icon NVD

Status : Modified

Published: 2025-09-16T13:15:48.950

Modified: 2026-04-13T15:16:37.373

Link: CVE-2025-10536

cve-icon Redhat

Severity : Low

Publid Date: 2025-09-16T12:26:36Z

Links: CVE-2025-10536 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses