CVE-2025-2817

EUVD-2025-12689

29.04.2025, 14:15

Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
mozilla	firefox_esr	𝑥 < 115.23.0
mozilla	firefox	𝑥 < 138.0
mozilla	firefox_esr	116.0 ≤ 𝑥 < 128.10.0
mozilla	thunderbird	𝑥 < 128.10.0
mozilla	thunderbird	129.0 ≤ 𝑥 < 138.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

firefox

sid	149.0.2-1 fixed

firefox-esr

bookworm	128.14.0esr-1~deb12u1 fixed
bookworm (security)	140.9.1esr-1~deb12u1 fixed
bullseye	115.14.0esr-1~deb11u1 fixed
bullseye (security)	140.9.1esr-1~deb11u1 fixed
forky	140.9.1esr-1 fixed
sid	140.9.1esr-1 fixed
trixie	140.8.0esr-1~deb13u1 fixed
trixie (security)	140.9.1esr-1~deb13u1 fixed

thunderbird

bookworm	1:140.6.0esr-1~deb12u1 fixed
bookworm (security)	1:140.9.1esr-1~deb12u1 fixed
bullseye	1:115.12.0-1~deb11u1 fixed
bullseye (security)	1:140.9.1esr-1~deb11u1 fixed
forky	1:140.9.1esr-1 fixed
sid	1:140.9.1esr-1 fixed
trixie	1:140.8.0esr-1~deb13u1 fixed
trixie (security)	1:140.9.1esr-1~deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

firefox

focal	dne
jammy	not-affected
noble	not-affected
oracular	not-affected
plucky	not-affected

thunderbird

focal	dne
jammy	not-affected
noble	not-affected
oracular	not-affected
plucky	not-affected

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1917536

https://www.mozilla.org/security/advisories/mfsa2025-28/

https://www.mozilla.org/security/advisories/mfsa2025-29/

https://www.mozilla.org/security/advisories/mfsa2025-30/

https://www.mozilla.org/security/advisories/mfsa2025-31/

https://www.mozilla.org/security/advisories/mfsa2025-32/

https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html