CVE-2025-4088: CSRF
First published: Tue Apr 29 2025(Updated: )
A security vulnerability in Firefox allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability affects Firefox < 138 and Thunderbird < 138.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <138 | |
| Thunderbird | <138 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-4088?
CVE-2025-4088 has been rated as a high severity vulnerability due to its potential to facilitate Cross-Site Request Forgery attacks.
How do I fix CVE-2025-4088?
To fix CVE-2025-4088, upgrade to Firefox or Thunderbird version 138 or later.
What products are affected by CVE-2025-4088?
CVE-2025-4088 affects Firefox and Thunderbird versions prior to 138.
Can CVE-2025-4088 be exploited remotely?
Yes, CVE-2025-4088 can be exploited remotely as malicious sites can use redirects to launch attacks.
What are the risks associated with CVE-2025-4088?
The risks associated with CVE-2025-4088 include unauthorized access to user credentials and the potential for data breaches via Cross-Site Request Forgery.
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/author
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/event
- vendor/mozilla
- canonical/firefox
- canonical/thunderbird