| Name | CVE-2025-0237 |
| Description | The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5839-1 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| firefox (PTS) | sid | 134.0-1 | fixed |
| firefox-esr (PTS) | bullseye | 115.14.0esr-1~deb11u1 | vulnerable |
| bullseye (security) | 128.5.0esr-1~deb11u1 | vulnerable | |
| bookworm | 128.3.1esr-1~deb12u1 | vulnerable | |
| bookworm (security) | 128.6.0esr-1~deb12u1 | fixed | |
| trixie | 128.5.0esr-1 | vulnerable | |
| sid | 128.6.0esr-1 | fixed | |
| thunderbird (PTS) | bullseye | 1:115.12.0-1~deb11u1 | vulnerable |
| bullseye (security) | 1:128.5.0esr-1~deb11u1 | vulnerable | |
| bookworm | 1:115.16.0esr-1~deb12u1 | vulnerable | |
| bookworm (security) | 1:128.5.0esr-1~deb12u1 | vulnerable | |
| trixie | 1:128.5.2esr-1 | vulnerable | |
| sid | 1:128.6.0esr-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| firefox | source | (unstable) | 134.0-1 | |||
| firefox-esr | source | bookworm | 128.6.0esr-1~deb12u1 | DSA-5839-1 | ||
| firefox-esr | source | (unstable) | 128.6.0esr-1 | |||
| thunderbird | source | (unstable) | 1:128.6.0esr-1 |
https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/#CVE-2025-0237
https://www.mozilla.org/en-US/security/advisories/mfsa2025-02/#CVE-2025-0237
https://www.mozilla.org/en-US/security/advisories/mfsa2025-05/#CVE-2025-0237