Description
A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
Published: 2025-04-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery
Action: Patch ASAP
AI Analysis

Impact

A breach of the Storage Access API lets malicious webpages redirect a logged‑in user’s browser to arbitrary URLs, causing the browser to perform credentialed requests on behalf of the user. The flaw originates when a site uses the Storage Access API redirects to force the browser to send requests to any domain the user has visited. This is a form of Cross‑Site Request Forgery (CWE‑352) that could lead to unauthorized actions or data disclosure, damaging confidentiality, integrity, and potentially availability of the user’s accounts.

Affected Systems

The flaw affects all Mozilla Firefox and Mozilla Thunderbird releases prior to version 138. This inference is based on the vendor’s fix dates; the vulnerability was fixed in Firefox 138 and Thunderbird 138, implying earlier versions were vulnerable until then.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, but the EPSS score of less than 1% signals a very low probability of exploitation at present, and the weakness is not listed in the CISA KEV catalog. The attack requires a user to visit a malicious site that performs a redirect; by exploiting the Storage Access API it can send requests to any domain the user has visited. The impact remains that any authenticated web service the user is logged into could be misused if the victim follows the redirect.

Generated by OpenCVE AI on April 20, 2026 at 20:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch in Firefox 138 or later and Thunderbird 138 or later to eliminate the CWE‑352 CSRF flaw and the CWE‑601 open‑redirect issue.
  • If an immediate upgrade is not possible, restrict redirects that trigger the Storage Access API from untrusted origins to mitigate the CWE‑352 vulnerability.
  • Revoke or deny storage access permissions to untrusted sites to prevent the inclusion of the CWE‑601 redirect‑based CSRF vector until a fix is applied.
  • Monitor for suspicious credentialed requests and review logs for CSRF activity, being mindful of the CWE‑352 weakness.

Generated by OpenCVE AI on April 20, 2026 at 20:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12651 A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138. A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
Title firefox: thunderbird: Cross-site request forgery via storage access API redirects Cross-site request forgery via storage access API redirects

Fri, 09 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Thu, 01 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability in Firefox allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138. A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138.

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Cross-site request forgery via storage access API redirects
Weaknesses CWE-601
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 29 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 29 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
Description A security vulnerability in Firefox allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:47.062Z

Reserved: 2025-04-29T13:13:43.020Z

Link: CVE-2025-4088

cve-icon Vulnrichment

Updated: 2025-04-29T15:50:59.333Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T14:15:35.450

Modified: 2026-04-13T15:17:00.397

Link: CVE-2025-4088

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-04-29T13:13:43Z

Links: CVE-2025-4088 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses