CVE-2025-3033 - Vulnerability Details

- Opening local .url files could lead to another file being opened

Description

After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded.
*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 137 and Thunderbird 137.

Published: 2025-04-01

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Firefox and Thunderbird on Windows allow a local Windows .url shortcut to be chosen as the source for a file upload, but the shortcut points to another file on the system. The application then uploads the file referenced by the shortcut instead of the file originally selected, resulting in an arbitrary local file being submitted to the web server. This flaw corresponds to CWE‑73, reflecting improper handling of system call arguments for local file access.

Affected Systems

Versions prior to Firefox 137 and Thunderbird 137 running on Windows are affected. All other operating systems and newer releases are not vulnerable.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, while the EPSS score of less than 1 % suggests a low exploitation probability. The flaw is not listed in the CISA KEV catalog. Exploitation requires the victim to select a malicious .url file locally; after the file is chosen, the referenced file is uploaded automatically.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`137`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`137`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Firefox 137 or later and to Thunderbird 137 or later to apply the vendor fix.
If a patch cannot be installed immediately, configure the browser or use a security extension to block uploads that originate from .url shortcuts.
On the server side, enforce strict validation of uploaded file types and reject unexpected files or sizes.

Generated by OpenCVE AI on April 20, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-9302	After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. This bug only affects Firefox on Windows. Other operating systems are unaffected. This vulnerability affects Firefox < 137 and Thunderbird < 137.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00067.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1950056
https://www.mozilla.org/security/advisories/mfsa2025-20/
https://www.mozilla.org/security/advisories/mfsa2025-23/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. This bug only affects Firefox on Windows. Other operating systems are unaffected. This vulnerability affects Firefox < 137 and Thunderbird < 137.	After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. This bug only affects Firefox on Windows. Other operating systems are unaffected.. This vulnerability was fixed in Firefox 137 and Thunderbird 137.
Title		Opening local .url files could lead to another file being opened

Mon, 07 Apr 2025 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:a:mozilla:thunderbird::::::::
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird

Tue, 01 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-73
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 01 Apr 2025 12:45:00 +0000

Type	Values Removed	Values Added
Description		After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. This bug only affects Firefox on Windows. Other operating systems are unaffected. This vulnerability affects Firefox < 137 and Thunderbird < 137.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1950056 https://www.mozilla.org/security/advisories/mfsa2025-20/ https://www.mozilla.org/security/advisories/mfsa2025-23/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-04-01T12:29:04.495Z

Updated: 2026-04-13T14:29:35.142Z

Reserved: 2025-03-31T09:35:30.844Z

Link: CVE-2025-3033

Vulnrichment

Updated: 2025-04-01T18:33:34.355Z

NVD

Status : Modified

Published: 2025-04-01T13:15:41.697

Modified: 2026-04-13T15:16:57.157

Link: CVE-2025-3033

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses

CWE-73

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object