Description
Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
Published: 2025-12-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Same‑origin policy bypass leading to potential data exposure or cross‑site scripting
Action: Patch
AI Analysis

Impact

A flaw in the request handling component allows a requester to bypass the same‑origin policy that normally restricts cross‑domain network traffic. This can enable an attacker to craft requests that are interpreted as originating from a trusted domain, potentially exposing confidential data or executing scripts in a privileged context. The weakness corresponds to CWE‑346, which involves insufficient validation of the origin of requests. The impact is limited to services that rely on the request handling logic; if exploited, the attacker could read or modify data that should be protected by the same‑origin constraint.

Affected Systems

The vulnerability affects Mozilla Firefox and Mozilla Thunderbird. The specific affected releases are Firefox 145 and earlier, Firefox ESR 115.30 and earlier, Firefox ESR 140.5 and earlier, Thunderbird 145 and earlier, Thunderbird ESR 115.30 and earlier, and Thunderbird ESR 140.5 and earlier. All of these fall within the product lines named Mozilla:Firefox and Mozilla:Thunderbird as listed by the CVE Numbering Authority.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is through web content that can trigger the request handling component; an attacker would need to persuade a victim’s browser to initiate a crafted request. Given the low EPSS, potential impact may be limited to isolated systems unless a widespread exploit emerges.

Generated by OpenCVE AI on April 20, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 146 or later, or to ESR 115.31 or ESR 140.6 if using extended support releases
  • Upgrade Thunderbird to version 146 or later, or to ESR 115.31 or ESR 140.6 if using extended support releases
  • Ensure that any custom extensions or add‑ons that modify request handling are disabled or updated to versions that respect the same‑origin policy

Generated by OpenCVE AI on April 20, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4401-1 firefox-esr security update
Debian DLA Debian DLA DLA-4405-1 thunderbird security update
Debian DSA Debian DSA DSA-6078-1 firefox-esr security update
Debian DSA Debian DSA DSA-6081-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. Same-origin policy bypass in the Request Handling component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

Wed, 10 Dec 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 10 Dec 2025 14:45:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, and Firefox ESR < 140.6. Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
References

Wed, 10 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 09 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 13:45:00 +0000

Type Values Removed Values Added
Description Same-origin policy bypass in the Request Handling component. This vulnerability affects Firefox < 146, Firefox ESR < 115.31, and Firefox ESR < 140.6.
Title Same-origin policy bypass in the Request Handling component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:25:43.540Z

Reserved: 2025-12-09T13:38:06.607Z

Link: CVE-2025-14331

cve-icon Vulnrichment

Updated: 2025-12-09T16:58:42.348Z

cve-icon NVD

Status : Modified

Published: 2025-12-09T16:17:40.773

Modified: 2026-04-13T15:16:46.673

Link: CVE-2025-14331

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-09T13:38:07Z

Links: CVE-2025-14331 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses