Description
The executable file warning did not warn users before opening files with the `terminal` extension.
*This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.
Published: 2025-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential code execution via unnotified terminal files
Action: Immediate Patch
AI Analysis

Impact

This vulnerability permits files bearing a terminal extension to be opened in Firefox on macOS without the standard warning that flags executable content. Since the terminal extension is commonly linked to scripts or binaries, an attacker could deliver a terminal file that, when opened, could lead to the execution of arbitrary code. The information provided does not explicitly confirm whether the file is executed automatically, but based on the nature of the extension, code execution is a realistic and potentially severe outcome. The weakness is aligned with CWE‑345, which addresses information exposure that can lead to execution of malicious content.

Affected Systems

The issue is limited to Mozilla Firefox and Mozilla Thunderbird running on macOS, affecting versions prior to Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12. Other operating systems and non‑macOS builds of these browsers are not affected.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity, while the EPSS score of < 1% reflects limited current exploitation activity. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the delivery of a malicious terminal file through channels such as email attachments, compromised websites, or infected downloads, with the user incorrectly opening the file on their macOS system.

Generated by OpenCVE AI on April 20, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 140 or newer, or to Firefox ESR 128.12 or newer.
  • Upgrade Mozilla Thunderbird to version 140 or newer, or to Thunderbird ESR 128.12 or newer.
  • Ensure macOS is updated to the latest security releases and configure Gatekeeper to restrict the execution of unknown file types.

Generated by OpenCVE AI on April 20, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19102 The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: No warning when opening executable terminal files on macOS No warning when opening executable terminal files on macOS

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00019}

 epss

{'score': 0.0002}

Mon, 14 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
Description The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140 and Firefox ESR < 128.12. The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
References

Fri, 04 Jul 2025 02:30:00 +0000

Type Values Removed Values Added
Title firefox: No warning when opening executable terminal files on macOS firefox: thunderbird: No warning when opening executable terminal files on macOS

Thu, 03 Jul 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos
Mozilla
Mozilla firefox

Wed, 25 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-345
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 25 Jun 2025 00:30:00 +0000

Type Values Removed Values Added
Title firefox: No warning when opening executable terminal files on macOS
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 24 Jun 2025 12:45:00 +0000

Type Values Removed Values Added
Description The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.
References

Subscriptions

Apple Macos
Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:40.735Z

Reserved: 2025-06-20T14:51:29.856Z

Link: CVE-2025-6426

cve-icon Vulnrichment

Updated: 2025-06-25T14:21:33.436Z

cve-icon NVD

Status : Modified

Published: 2025-06-24T13:15:23.537

Modified: 2026-04-13T15:17:06.523

Link: CVE-2025-6426

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-06-24T12:28:00Z

Links: CVE-2025-6426 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Weaknesses