Description
A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
Published: 2025-04-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure
Action: Patch
AI Analysis

Impact

The vulnerability enables the Thunderbird for Android application to log library file locations, which may contain sensitive information, to Logcat. This results in the accidental disclosure of system paths that could aid an attacker in discovering the app's internal structure or sensitive configuration data. The weakness is identified as CWE-532, indicating that confidential information found in logs is exposed through the application.

Affected Systems

Affected products are Mozilla Thunderbird for Android, with the issue also reported for Firefox. The fix was released in Firefox 138 and Thunderbird 138, meaning any version prior to those may be vulnerable and users of older builds on Android devices are at risk.

Risk and Exploitability

The CVSS score is 5.3, placing the vulnerability in the medium severity range. The EPSS score indicates the probability of exploitation is less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Given that Logcat visibility is typically local to the device and can be accessed by any app with the READ_LOGS permission, the likely attack vector is local and requires an attacker who can read the device logs, such as a malicious app or user with device access.

Generated by OpenCVE AI on April 20, 2026 at 17:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thunderbird for Android to version 138 or later, the release that contains the fix.
  • If an update is not immediately possible, disable Logcat logging for the application or restrict the READ_LOGS permission on the device so that only trusted apps can access logs.
  • Implement mobile device management controls to prevent malicious applications from gaining log‑reading privileges or enforce device root restrictions.

Generated by OpenCVE AI on April 20, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12646 A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138. A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
Title firefox: thunderbird: Leaked library paths in Firefox for Android Leaked library paths in Thunderbird for Android

Tue, 23 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Thu, 01 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description A vulnerability existed in Firefox for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138. A vulnerability existed in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138.

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Leaked library paths in Firefox for Android
Weaknesses CWE-532
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 29 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 29 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability existed in Firefox for Android where potentially sensitive library locations were logged via Logcat. This vulnerability affects Firefox < 138 and Thunderbird < 138.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:50.482Z

Reserved: 2025-04-29T13:13:45.917Z

Link: CVE-2025-4090

cve-icon Vulnrichment

Updated: 2025-04-29T15:37:48.959Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T14:15:35.627

Modified: 2026-04-13T15:17:00.723

Link: CVE-2025-4090

cve-icon Redhat

Severity : Low

Publid Date: 2025-04-29T13:13:46Z

Links: CVE-2025-4090 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File