CVE-2025-8032

Published: Jul 22, 2025Modified: Apr 13, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Affected (6)

Products: Mozilla: Firefox, Thunderbird

2 products

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 141.0
Mozilla Firefox	Before 128.13.0
Mozilla Firefox	From 140.0 to 140.1.0
Mozilla Thunderbird	Before 141.0
Mozilla Thunderbird	Before 128.13.0
Mozilla Thunderbird	From 140.0 to 140.1.0

Related CWEs

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References (8)

https://bugzilla.mozilla.org/show_bug.cgi?id=1974407

Source: security@mozilla.org

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2025-56/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-58/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-59/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-61/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-62/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-63/

Source: security@mozilla.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.