Description
Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30.
Published: 2025-11-11
Score: 3.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing / Identity Forgery
Action: Patch Update
AI Analysis

Impact

This vulnerability is an authentication forgery flaw (CWE‑290) that can allow an attacker to spoof another user’s identity within the Mozilla Firefox browser. The flaw was identified as a spoofing issue and carries a CVSS score of 3.4, indicating a low‑severity risk. While it does not enable arbitrary code execution or a denial‑of‑service condition, it can undermine user trust in web interactions and potentially compromise the integrity of data transmitted or verified by the browser.

Affected Systems

Mozilla Firefox users are affected if they are running any version older than Firefox 145 or the corresponding ESR releases that were fixed (ESR 140.5 and ESR 115.30). The attack does not depend on a specific vendor or third‑party product beyond the Firefox browser itself. Users of these older Firefox builds should verify whether they are still supported by Mozilla and plan for an upgrade accordingly.

Risk and Exploitability

The CVSS score of 3.4 indicates a low baseline impact, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description and the nature of the flaw, the likely attack vector involves a malicious web page or content that tricks the browser into treating a forged identity as genuine. Although the exact prerequisites for exploitation are not detailed, the effect would be limited to scenarios where the attacker can influence or load content within a user’s Firefox session.

Generated by OpenCVE AI on April 20, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 145 or newer, or upgrade to a supported ESR 140.5 or ESR 115.30 build which contain the fix.
  • If an immediate upgrade is not possible, restrict browsing to trusted sites and avoid opening email attachments or web content from unverified sources until a patch is installed.
  • Consider transitioning to a newer ESR release if running an older Firefox edition, reducing the window of vulnerability exposure.

Generated by OpenCVE AI on April 20, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4370-1 firefox-esr security update
Debian DLA Debian DLA DLA-4372-1 thunderbird security update
Debian DSA Debian DSA DSA-6054-1 firefox-esr security update
Debian DSA Debian DSA DSA-6059-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. Spoofing issue in Firefox. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*

Thu, 13 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N'}

threat_severity

Low

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Spoofing issue in Firefox. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30.
Title Spoofing issue in Firefox
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:40.252Z

Reserved: 2025-11-11T15:12:11.401Z

Link: CVE-2025-13015

cve-icon Vulnrichment

Updated: 2025-11-13T15:32:30.096Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:38.573

Modified: 2026-04-13T15:16:42.470

Link: CVE-2025-13015

cve-icon Redhat

Severity : Low

Publid Date: 2025-11-11T15:47:12Z

Links: CVE-2025-13015 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses