Description
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.
Published: 2025-07-22
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cookie hijacking / Authentication bypass
Action: Immediate Patch
AI Analysis

Impact

Setting a cookie without a name but with a value that contains an equals sign causes that cookie to override (shadow) any existing cookie with the same name, even if the existing cookie is marked Secure and sent only over HTTPS. The flaw allows a malicious actor to overwrite or manipulate secure authentication cookies, potentially enabling session hijack or authentication bypass. The vulnerability is classified as CWE‑614, denoting improper handling of cookie data.

Affected Systems

Mozilla Firefox up to version 140 and any earlier ESR releases prior to 140.1, as well as Thunderbird up to version 140 and ESR releases before 140.1, are affected. Versions 141 (Firefox and Thunderbird) and ESR 140.1 provide the fix.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical severity, while the EPSS score of less than 1% suggests that exploitation in the wild is currently low and the vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that an attacker could exploit the flaw by injecting a nameless cookie with an equals sign into a target domain’s cookie store via a malicious site or script, thereby masking a secure session cookie and hijacking the session. The attack requires only the ability to set a cookie for the target domain, which can be achieved through normal web browsing or malicious web content.

Generated by OpenCVE AI on April 20, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 141 or newer, or ESR 140.1 or newer, to contain the fix.
  • Upgrade Mozilla Thunderbird to version 141 or newer, or ESR 140.1 or newer, to contain the fix.
  • Avoid using nameless cookies in web applications and enforce the Secure attribute for authentication‑related cookies to reduce the risk of impersonation.

Generated by OpenCVE AI on April 20, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22368 Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.

Thu, 30 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Nameless cookies shadow secure cookies Nameless cookies shadow secure cookies

Tue, 29 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Nameless cookies shadow secure cookies
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 28 Jul 2025 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 23 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-614
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 21:00:00 +0000

Type Values Removed Values Added
Description Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:53.773Z

Reserved: 2025-07-22T10:14:04.585Z

Link: CVE-2025-8037

cve-icon Vulnrichment

Updated: 2025-07-23T14:25:17.912Z

cve-icon NVD

Status : Modified

Published: 2025-07-22T21:15:50.860

Modified: 2026-04-13T15:17:10.840

Link: CVE-2025-8037

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-22T20:49:25Z

Links: CVE-2025-8037 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:15:06Z

Weaknesses