Description
A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10.
Published: 2025-04-29
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Process Isolation Bypass
Action: Patch Immediately
AI Analysis

Impact

The flaw stems from improper handling of "javascript:" URIs within cross‑origin frames, allowing content to execute in the top‑level document’s process instead of the intended sandboxed frame. This can lead to a sandbox escape where malicious code gains the privileges of the host process, potentially compromising both confidentiality and integrity of the system. The vulnerability is identified as CWE‑653 and is rated with a CVSS score of 9.1.

Affected Systems

This issue affects Mozilla products, specifically Firefox and Thunderbird. The bulletin specifies that the security patch was released for Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10. Earlier versions of these browsers are thus vulnerable. There is no explicit mention of other vendors in the description, although the Common Platform Enumeration list includes various Red Hat products, the impact on them is not directly asserted.

Risk and Exploitability

The EPSS score of less than 1% indicates that exploitation is considered rare, and the vulnerability is not yet listed in CISA’s KEV catalog, implying no public exploits are known. The likely attack vector involves a user visiting a page or opening a message containing a cross‑origin frame that loads a "javascript:" URL; from there an attacker could coerce the host process to execute malicious code. Exact conditions for exploitation are not described beyond the use of such a URI, so the threat is generally limited to environments where arbitrary web content or email can be rendered without additional controls.

Generated by OpenCVE AI on April 20, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to at least version 138 or an equivalent ESR release (115.23 or 128.10) and update Thunderbird to version 138 or the recommended ESR release (128.10).
  • If an immediate software update is not possible, block or strip "javascript:" scheme links in cross‑origin frames—e.g., configure the browser or mail client to reject or sanitize such URIs before rendering.
  • Stay alert for new advisories or definitions in the Mozilla security advisories and consider enabling additional sandboxing or content‑policy controls if available.

Generated by OpenCVE AI on April 20, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4167-1 thunderbird security update
Debian DLA Debian DLA DLA-4172-1 firefox-esr security update
Debian DSA Debian DSA DSA-5910-1 firefox-esr security update
Debian DSA Debian DSA DSA-5912-1 thunderbird security update
EUVD EUVD EUVD-2025-12730 A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10. A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10.
Title firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames Process isolation bypass using "javascript:" URI links in cross-origin frames

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 14 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel Tus

Wed, 14 May 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Sat, 10 May 2025 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4

Fri, 09 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Fri, 09 May 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.2
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus

Mon, 05 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Fri, 02 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Process isolation bypass using "javascript:" URI links in cross-origin frames
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 01 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10. A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10.

Wed, 30 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 30 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-653
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Tue, 29 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
Description A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:17.492Z

Reserved: 2025-04-29T13:13:35.922Z

Link: CVE-2025-4083

cve-icon Vulnrichment

Updated: 2025-11-03T19:58:48.900Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T14:15:35.003

Modified: 2026-04-13T15:16:59.477

Link: CVE-2025-4083

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-29T13:13:36Z

Links: CVE-2025-4083 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses