Description
Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
Published: 2025-11-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Same‑Origin Policy Bypass / Information Disclosure
Action: Patch Immediately
AI Analysis

Impact

The CVE describes a Same‑Origin Policy bypass in the browser’s DOM Notifications component. This weakness could allow an attacker who can deliver malicious content to a user to access notification data that was intended to be isolated to the originating domain. The result is potential information disclosure or manipulation of notifications, impacting confidentiality and integrity of user data within the browser environment.

Affected Systems

The defect is present in Mozilla Firefox and Mozilla Thunderbird browsers built on the shared Notification API. The issue has been fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird ESR 140.5. Versions prior to these fixed releases are affected unless explicit patching is applied.

Risk and Exploitability

With a CVSS base score of 8.1 the vulnerability is considered high severity, yet the EPSS score is under 1 %, indicating a low probability of widespread exploitation. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would typically need to entice a user to visit a malicious web page or local file that triggers the Notifications component, after which cross‑origin notification data could be read or altered. The overall risk is high for susceptible installations, but the likelihood of active exploitation remains small.

Generated by OpenCVE AI on April 20, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to 145 or ESR 140.5 and Thunderbird to 145 or ESR 140.5 to apply the fix.
  • If an immediate upgrade is not possible, block notification permissions for untrusted origins through the browser’s content settings or a policy that restricts the Notifications API.
  • As a temporary measure, disable the Notifications component entirely by setting dom.notifications.enabled to false until a patch is available.

Generated by OpenCVE AI on April 20, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4370-1 firefox-esr security update
Debian DLA Debian DLA DLA-4372-1 thunderbird security update
Debian DSA Debian DSA DSA-6054-1 firefox-esr security update
Debian DSA Debian DSA DSA-6059-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-942
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-501
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the DOM: Notifications component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5.
Title Same-origin policy bypass in the DOM: Notifications component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:28.500Z

Reserved: 2025-11-11T15:12:15.878Z

Link: CVE-2025-13017

cve-icon Vulnrichment

Updated: 2025-11-12T15:16:06.301Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:38.793

Modified: 2026-04-13T15:16:42.840

Link: CVE-2025-13017

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-11-11T15:47:16Z

Links: CVE-2025-13017 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses