Description
Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
Published: 2025-11-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Same-origin policy bypass
Action: Patch
AI Analysis

Impact

The flaw allows a malicious script executed as a worker to bypass the browser’s same‑origin policy and access data or functionality that should be isolated between distinct origins. Based on the description, it is inferred that an attacker who can supply a malicious worker script may read sensitive data, hijack sessions, or execute unauthorized actions via cross‑origin interactions. This weakness is reflected in CWE‑346 (Access Control Issues) and CWE‑942 (Information Exposure Through Script).

Affected Systems

The vulnerability affects Mozilla Firefox versions up to 144 and Firefox ESR up to 140.4, as well as Mozilla Thunderbird up to 144 and Thunderbird ESR up to 140.4. Any installation of these products that has not yet been updated to the patched version is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 classifies this as a high‑severity flaw. Its EPSS score of less than 1% indicates a low probability of exploitation at present, and it is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the most likely attack vector involves a malicious web page or corrupted email that creates a background worker, enabling the attacker to bypass the same‑origin policy without additional user interaction.

Generated by OpenCVE AI on April 20, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all affected Firefox and Thunderbird installations to the patched releases (Firefox 145 or later, Firefox ESR 140.5 or later; Thunderbird 145 or later, Thunderbird ESR 140.5 or later).
  • If immediate update is not feasible, configure the browser to block or restrict background worker creation from untrusted origins through security settings or a compatible extension to limit the attack surface.
  • Continuously monitor for anomalous worker activity and apply future Mozilla advisories that recommend additional configuration changes or mitigations.

Generated by OpenCVE AI on April 20, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4370-1 firefox-esr security update
Debian DLA Debian DLA DLA-4372-1 thunderbird security update
Debian DSA Debian DSA DSA-6054-1 firefox-esr security update
Debian DSA Debian DSA DSA-6059-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. Same-origin policy bypass in the DOM: Workers component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-942
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the DOM: Workers component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5.
Title Same-origin policy bypass in the DOM: Workers component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:31.931Z

Reserved: 2025-11-11T15:12:20.399Z

Link: CVE-2025-13019

cve-icon Vulnrichment

Updated: 2025-11-12T15:03:17.093Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:39.000

Modified: 2026-04-13T15:16:43.183

Link: CVE-2025-13019

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-11-11T15:47:16Z

Links: CVE-2025-13019 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses