CVE-2025-9180 - Vulnerability Details

- Same-origin policy bypass in the Graphics: Canvas2D component

Description

Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

Published: 2025-08-19

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Graphics: Canvas2D component lets a malicious script read pixel data from a canvas that was rendered with content from a different origin. The result is an information disclosure that bypasses the browser’s same‑origin policy, exposing data that could include sensitive user content, crumbs of private information, or other data normally protected by origin boundaries. The weakness is aligned with information‑exposure weaknesses such as CWE‑200 and CWE‑346.

Affected Systems

Mozilla Firefox releases 142 and all current ESR releases (115.27, 128.14, 140.2) and Mozilla Thunderbird releases 142 and all current ESR releases (115.27, 128.14, 140.2) are affected. Earlier versions of these products are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, which indicates that it has not yet been the target of known, active exploitation campaigns. Attackers would need to lure a user to a malicious web page or send them a malicious email that triggers the Canvas2D rendering, which means the risk exists in typical browser usage scenarios.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`115.27`	unaffected	≤ 115.*
`128.14`	unaffected	≤ 128.*
`140.2`	unaffected	≤ 140.*
`142`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`128.14`	unaffected	≤ 128.*
`140.2`	unaffected	≤ 140.*
`142`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::esr:::*

No data.

Vendor	Product	Confidence	Versions
Mozilla	Firefox	—	—
Mozilla	Firefox Esr	—	—
Mozilla	Thunderbird	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest release of Firefox (v142) or ESR 115.27 and newer; similarly, upgrade Thunderbird to v142 or ESR 115.27 and newer.
Disable or remove any third‑party extensions and user scripts that might inject code into web pages or emails, as they could trigger Canvas rendering from untrusted sources.
Implement a strict content security policy that disallows inline scripts and limits external script execution to trusted origins, reducing the chance that a malicious page can create the vulnerable situation.

Generated by OpenCVE AI on April 20, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4277-1	firefox-esr security update
Debian DLA	DLA-4279-1	thunderbird security update
Debian DSA	DSA-5980-1	firefox-esr security update
Debian DSA	DSA-5984-1	thunderbird security update
EUVD	EUVD-2025-25245	'Same-origin policy bypass in the Graphics: Canvas2D component.' This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Ubuntu USN	USN-7991-1	Thunderbird vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1979782
https://lists.debian.org/debian-lts-announce/2025/08/msg00016.html
https://lists.debian.org/debian-lts-announce/2025/08/msg00018.html
https://nvd.nist.gov/vuln/detail/CVE-2025-9180
https://www.cve.org/CVERecord?id=CVE-2025-9180
https://www.mozilla.org/security/advisories/mfsa2025-64/
https://www.mozilla.org/security/advisories/mfsa2025-65/
https://www.mozilla.org/security/advisories/mfsa2025-66/
https://www.mozilla.org/security/advisories/mfsa2025-66/#CVE-2025-9180
https://www.mozilla.org/security/advisories/mfsa2025-67/
https://www.mozilla.org/security/advisories/mfsa2025-70/
https://www.mozilla.org/security/advisories/mfsa2025-71/
https://www.mozilla.org/security/advisories/mfsa2025-71/#CVE-2025-9180
https://www.mozilla.org/security/advisories/mfsa2025-72/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.	Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

Mon, 03 Nov 2025 19:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/08/msg00016.html https://lists.debian.org/debian-lts-announce/2025/08/msg00018.html

Thu, 30 Oct 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description	'Same-origin policy bypass in the Graphics: Canvas2D component.' This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.	Same-origin policy bypass in the Graphics: Canvas2D component. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Title	thunderbird: firefox: Same-origin policy bypass in the Graphics: Canvas2D component	Same-origin policy bypass in the Graphics: Canvas2D component

Fri, 22 Aug 2025 00:15:00 +0000

Type	Values Removed	Values Added
Title		thunderbird: firefox: Same-origin policy bypass in the Graphics: Canvas2D component
Weaknesses		CWE-200
References		https://nvd.nist.gov/vuln/detail/CVE-2025-9180 https://www.cve.org/CVERecord?id=CVE-2025-9180 https://www.mozilla.org/security/advisories/mfsa2025-66/#CVE-2025-9180 https://www.mozilla.org/security/advisories/mfsa2025-71/#CVE-2025-9180
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 21 Aug 2025 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird:::::-:::* cpe:2.3:a:mozilla:thunderbird:::::esr:::*

Thu, 21 Aug 2025 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla firefox Esr Mozilla thunderbird
Vendors & Products		Mozilla Mozilla firefox Mozilla firefox Esr Mozilla thunderbird

Wed, 20 Aug 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-346
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 19 Aug 2025 20:45:00 +0000

Type	Values Removed	Values Added
Description		'Same-origin policy bypass in the Graphics: Canvas2D component.' This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1979782 https://www.mozilla.org/security/advisories/mfsa2025-64/ https://www.mozilla.org/security/advisories/mfsa2025-65/ https://www.mozilla.org/security/advisories/mfsa2025-66/ https://www.mozilla.org/security/advisories/mfsa2025-67/ https://www.mozilla.org/security/advisories/mfsa2025-70/ https://www.mozilla.org/security/advisories/mfsa2025-71/ https://www.mozilla.org/security/advisories/mfsa2025-72/

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-08-19T20:33:54.532Z

Updated: 2026-04-13T14:25:49.457Z

Reserved: 2025-08-19T15:55:39.806Z

Link: CVE-2025-9180

Vulnrichment

Updated: 2025-08-20T14:05:55.611Z

NVD

Status : Modified

Published: 2025-08-19T21:15:30.390

Modified: 2026-04-13T15:17:13.590

Link: CVE-2025-9180

Redhat

Severity : Important

Publid Date: 2025-08-19T20:33:54Z

Links: CVE-2025-9180 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T18:15:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object