The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

vendor_unpatched cve-2025-6426: Unpatched CVEs for Ubuntu Linux (cve-2025-6426)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02546-1 advisory.

    Update to Mozilla Thunderbird 140.1 (MFSA 2025-63) (bsc#1246664):

    - CVE-2025-8027: JavaScript engine only wrote partial return value to stack (bmo#1968423)
    - CVE-2025-8028: Large branch table could lead to truncated instruction (bmo#1971581)
    - CVE-2025-8029: javascript: URLs executed on object and embed tags (bmo#1928021)
    - CVE-2025-8036: DNS rebinding circumvents CORS (bmo#1960834)
    - CVE-2025-8037: Nameless cookies shadow secure cookies (bmo#1964767)
    - CVE-2025-8030: Potential user-assisted code execution in 'Copy as cURL' command (bmo#1968414)
    - CVE-2025-8031: Incorrect URL stripping in CSP reports (bmo#1971719)
    - CVE-2025-8032: XSLT documents could bypass CSP (bmo#1974407)
    - CVE-2025-8038: CSP frame-src was not correctly enforced for paths (bmo#1808979)
    - CVE-2025-8039: Search terms persisted in URL bar (bmo#1970997)
    - CVE-2025-8033: Incorrect JavaScript state machine for generators (bmo#1973990)
    - CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR     128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 (bmo#1970422,     bmo#1970422, bmo#1970422, bmo#1970422)
    - CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and     Thunderbird 141 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998)
    - CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR     140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 (bmo#1975961, bmo#1975961, bmo#1975961)

    Update to Mozilla Thunderbird 140.0.1 (MFSA 2025-54) (bsc#1244670):

    - CVE-2025-6424: Use-after-free in FontFaceSet (bmo#1966423)
    - CVE-2025-6425: The WebCompat WebExtension shipped exposed a persistent UUID (bmo#1717672)
    - CVE-2025-6426: No warning when opening executable terminal files on macOS (bmo#1964385)
    - CVE-2025-6427: connect-src Content Security Policy restriction could be bypassed (bmo#1966927)
    - CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com (bmo#1970658)
    - CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag     (bmo#1971140)
    - CVE-2025-6432: DNS Requests leaked outside of a configured SOCKS proxy (bmo#1943804)
    - CVE-2025-6433: WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS     certificate (bmo#1954033)
    - CVE-2025-6434: HTTPS-Only exception screen lacked anti-clickjacking delay (bmo#1955182)
    - CVE-2025-6435: Save as in Devtools could download files without sanitizing the extension (bmo#1950056,     bmo#1961777)
    - CVE-2025-6436: Memory safety bugs fixed in Firefox 140 and Thunderbird 140 (bmo#1941377, bmo#1960948,     bmo#1966187, bmo#1966505, bmo#1970764)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02529-1 advisory.

    MozillaFirefox is updated to the 140ESR series.

    Firefox Extended Support Release 140.0esr ESR:

      * General

      - Reader View now has an enhanced Text and Layout menu with         new options for character spacing, word spacing, and text         alignment. These changes offer a more accessible reading         experience.
      - Reader View now has a Theme menu with additional Contrast         and Gray options. You can also select custom colors for text,         background, and links from the Custom tab.
      - Firefox will now offer to temporarily remember when users         grant permissions to sites (e.g. geolocation). Temporary         permissions will be removed either after one hour or when the         tab is closed.
      - Firefox now includes safeguards to prevent sites from         abusing the history API by generating excessive history         entries, which can make navigating with the back and forward         buttons difficult by cluttering the history. This         intervention ensures that such entries, unless interacted         with by the user, are skipped when using the back and forward         buttons.
      - Firefox now identifies all links in PDFs and turns them         into hyperlinks.
      - You can now copy links from background tabs using the         tabstrip context menu on macOS and Linux.
      - Users on macOS and Linux are now given the option to close         only the current tab if the Quit keyboard shortcut is used         while multiple tabs are open in the window. (bmo#None)

      * Sidebar and Tabs

      - You can now enable the updated Firefox sidebar in Settings         > General > Browser Layout to quickly access multiple tools         in one click, without leaving your main view. Sidebar tools         include an AI chatbot of your choice, bookmarks, history, and         tabs from devices you sync with your Mozilla account.
      - Keep a lot of tabs open? Try our new vertical tabs layout         to quickly scan your list of tabs. With vertical tabs, your         open and pinned tabs appear in the sidebar instead of along         the top of the browser. To turn on vertical tabs, right-click         on the toolbar near the top of the browser and select Turn on         Vertical Tabs. If youve enabled the updated sidebar, you can         also go to Customize sidebar and check Vertical tabs. Early         testers report feeling more organized after using vertical         tabs for a few days.
      - Stay productive and organized with less effort by grouping         related tabs together. One simple way to create a group is to         drag a tab onto another, pause until you see a highlight,         then drop to create the group. Tab groups can be named,         color-coded, and are always saved. You can close a group and         reopen it later.
      - A tab preview is now displayed when hovering the mouse over         background tabs, making it easier to locate the desired tab         without needing to switch tabs.
      - The sidebar to view tabs from other devices can now be         opened via the Tab overview menu.

      * Security & Privacy

      - HTTPS is replacing HTTP as the default protocol in the         address bar on non-local sites. If a site is not available         via HTTPS, Firefox will fall back to HTTP.
      - Firefox now blocks third-party cookie access when Enhanced         Tracking Protection's Strict mode is enabled.
      - Firefox now has a new anti-tracking feature, Bounce         Tracking Protection, which is now available in Enhanced         Tracking Protection's 'Strict' mode. This feature detects         bounce trackers based on their redirect behavior and         periodically purges their cookies and site data to block         tracking.
      - Firefox now enforces certificate transparency, requiring         web servers to provide sufficient proof that their         certificates were publicly disclosed before they will be         trusted. This only affects servers using certificates issued         by a certificate authority in Mozilla's Root CA Program.
      - Smartblock Embeds allows users to selectively unblock         certain social media embeds that are blocked in ETP Strict         and Private Browsing modes. Currently, support is limited to         a few embed types, with more to be added in future updates.
      - Firefox now upgrades page loads to HTTPS by default and         gracefully falls back to HTTP if the secure connection fails.
        This behavior is known as HTTPS-First.
      - The 'Copy Without Site Tracking' menu item was renamed to         'Copy Clean Link' to help clarify expectations around what         the feature does. 'Copy Clean Link' is a list based approach         to remove - known tracking parameters from links. This option         can also now be used on plain text links.
      - The Clear browsing data and cookies dialog now allows         clearing saved form info separately from browsing history.

      * Translations

      - Firefox now allows translating selected text portions to         different languages after a full-page translation.
      - Full-Page Translations are now available within Firefox         extension pages that start with the moz-extension:// URL         scheme.
      - When suggesting a default translation language, Firefox         will now take into consideration languages you have         previously used for translations.
      - Added support for many new languages in Firefox         translation.

      * Linux

      - Firefox now supports touchpad hold gestures on Linux. This         means that kinetic (momentum) scrolling can now be         interrupted by placing two fingers on the touchpad.

      * Developer:

      - Firefox now supports text fragments, which         allows users to link directly to a specific portion of text         in a web document via a special URL fragment.
      - Debugger log-point values are now automatically converted         into profiler markers, making it easy to add information to         the marker timeline directly from the Debugger.
      - The Debugger's directory root is now scoped to the specific         domain where it was set, which aligns with typical usage and         avoids applying it across unrelated domains. This builds on         previous improvements such as a redesigned UI and easier         removal of the root setting. Setting a directory root updates         the Source List to show only the selected directory and its         children. (Learn more)
      - The Network Blocking feature in the Network panel now         blocks HTTP requests in addition to blocking responses.
      - The Network panel displays information about Early Hints,         including a dedicated indicator for the 103 HTTP status code         in the user interface.
      - The Network panel now allows overriding network request         responses with local files.
      - The filter setting in the Network panel is now preserved         across DevTools Toolbox sessions.
      - A new column has been added to the Network panel to display         the full path of the request URL. This enhancement makes         helps developers quickly view and analyze complete request         paths.
      - Introduced a new console command `$$$` that allows         searching the page, including within shadow roots.
      - Improved support for debugging web extensions, such as         automatically reloading the web extension's source code in         the Debugger when the extension is reloaded. Workers are now         available in the Console panels context selector and         breakpoints function correctly in content scripts.
      - In the Inspector Fonts panel, we now display fonts         metadata, like the font version, designer, vendor, license,         etc.
      - Added support for the import map integrity field, allowing         you to ensure the integrity of dynamically or statically         imported modules.
      - Implemented support for `Error.isError`, enabling brand         checks to determine whether an object is an instance of         Error. (Learn more)
      - Added support for the `error.captureStackTrace` extension         to improve compatibility with other browsers. (Learn more:
        http://github.com/tc39/proposal-error-capturestacktrace)

      * Enterprise:

      - The UserMessaging policy has been updated with         a new option to allow disabling Firefox Labs in preferences.
      - The Preferences policy has been updated to allow setting         the preference security.pki.certificate_transparency.mode.
      - HTTPS-First is now on by default. You can manage this         behavior using the HttpsOnlyMode and HttpAllowlist policies.
      - An internal change has been made to Firefox that removes         `XPCOMUtils.defineLazyGetter`. For most people, this         shouldn't matter, but if you encounter problems with         AutoConfig or third party software like PolicyPak, this might         be the cause. You'll need to reach out to your provider.
      - Firefox now supports the Content Analysis SDK for         integrating DLP software. For more information, see this         post.
      - The SearchEngines policy is now available on all versions         of Firefox (not just the ESR).

    Various security fixes MFSA 2025-51 (bsc#1244670):

      * CVE-2025-6424 (bmo#1966423)         Use-after-free in FontFaceSet
      * CVE-2025-6425 (bmo#1717672)         The WebCompat WebExtension shipped with Firefox exposed a         persistent UUID
      * CVE-2025-6426 (bmo#1964385)         No warning when opening executable terminal files on macOS
      * CVE-2025-6427 (bmo#1966927)         connect-src Content Security Policy restriction could be         bypassed
      * CVE-2025-6428 (bmo#1970151)         Firefox for Android opened URLs specified in a link         querystring parameter
      * CVE-2025-6429 (bmo#1970658)         Incorrect parsing of URLs could have allowed embedding of         youtube.com
      * CVE-2025-6430 (bmo#1971140)         Content-Disposition header ignored when a file is included in         an embed or object tag
      * CVE-2025-6431 (bmo#1942716)         The prompt in Firefox for Android that asks before opening a         link in an external application could be bypassed
      * CVE-2025-6432 (bmo#1943804)         DNS Requests leaked outside of a configured SOCKS proxy
      * CVE-2025-6433 (bmo#1954033)         WebAuthn would allow a user to sign a challenge on a webpage         with an invalid TLS certificate
      * CVE-2025-6434 (bmo#1955182)         HTTPS-Only exception screen lacked anti-clickjacking delay
      * CVE-2025-6435 (bmo#1950056, bmo#1961777)         Save as in Devtools could download files without sanitizing         the extension
      * CVE-2025-6436 (bmo#1941377, bmo#1960948, bmo#1966187,         bmo#1966505, bmo#1970764)         Memory safety bugs fixed in Firefox 140 and Thunderbird 140

    Various security fixes MFSA 2025-59 (bsc#1246664):

    - CVE-2025-8027: JavaScript engine only wrote partial return value to stack
    - CVE-2025-8028: Large branch table could lead to truncated instruction
    - CVE-2025-8029: javascript: URLs executed on object and embed tags
    - CVE-2025-8036: DNS rebinding circumvents CORS
    - CVE-2025-8037: Nameless cookies shadow secure cookies
    - CVE-2025-8030: Potential user-assisted code execution in Copy as cURL command
    - CVE-2025-8031: Incorrect URL stripping in CSP reports
    - CVE-2025-8032: XSLT documents could bypass CSP
    - CVE-2025-8038: CSP frame-src was not correctly enforced for paths
    - CVE-2025-8039: Search terms persisted in URL bar
    - CVE-2025-8033: Incorrect JavaScript state machine for generators
    - CVE-2025-8034: Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR     128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
    - CVE-2025-8040: Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and     Thunderbird 141
    - CVE-2025-8035: Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR     140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7663-1 advisory.

    Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially     crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of     service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute     arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02368-1 advisory.

    Update to Mozilla Thunderbird 128.12 (MFSA 2025-55, bsc#1244670):

    - CVE-2025-6424: Use-after-free in FontFaceSet (bmo#1966423)
    - CVE-2025-6425: The WebCompat WebExtension shipped exposed a persistent UUID (bmo#1717672)
    - CVE-2025-6426: No warning when opening executable terminal files on macOS (bmo#1964385)
    - CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com (bmo#1970658)
    - CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag     (bmo#1971140)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02339-1 advisory.

    This is the Firefox Extended Support Release 140.0esr ESR

    Major changes:

    General:

      - Reader View now has an enhanced Text and Layout menu with         new options for character spacing, word spacing, and text         alignment. These changes offer a more accessible reading         experience.
      - Reader View now has a Theme menu with additional Contrast         and Gray options. You can also select custom colors for text,         background, and links from the Custom tab.
      - Firefox will now offer to temporarily remember when users         grant permissions to sites (e.g. geolocation). Temporary         permissions will be removed either after one hour or when the         tab is closed.
      - Firefox now includes safeguards to prevent sites from         abusing the history API by generating excessive history         entries, which can make navigating with the back and forward         buttons difficult by cluttering the history. This         intervention ensures that such entries, unless interacted         with by the user, are skipped when using the back and forward         buttons.
      - Firefox now identifies all links in PDFs and turns them         into hyperlinks.
      - You can now copy links from background tabs using the         tabstrip context menu on macOS and Linux.
      - Users on macOS and Linux are now given the option to close         only the current tab if the Quit keyboard shortcut is used         while multiple tabs are open in the window. (bmo#None)

    Sidebar and Tabs:

     - You can now enable the updated Firefox sidebar in Settings         > General > Browser Layout to quickly access multiple tools         in one click, without leaving your main view. Sidebar tools         include an AI chatbot of your choice, bookmarks, history, and         tabs from devices you sync with your Mozilla account.
      - Keep a lot of tabs open? Try our new vertical tabs layout         to quickly scan your list of tabs. With vertical tabs, your         open and pinned tabs appear in the sidebar instead of along         the top of the browser. To turn on vertical tabs, right-click         on the toolbar near the top of the browser and select Turn on         Vertical Tabs. If youve enabled the updated sidebar, you can         also go to Customize sidebar and check Vertical tabs. Early         testers report feeling more organized after using vertical         tabs for a few days.
      - Stay productive and organized with less effort by grouping         related tabs together. One simple way to create a group is to         drag a tab onto another, pause until you see a highlight,         then drop to create the group. Tab groups can be named,         color-coded, and are always saved. You can close a group and         reopen it later.
      - A tab preview is now displayed when hovering the mouse over         background tabs, making it easier to locate the desired tab         without needing to switch tabs.
      - The sidebar to view tabs from other devices can now be         opened via the Tab overview menu.

    Security & Privacy:

      - HTTPS is replacing HTTP as the default protocol in the         address bar on non-local sites. If a site is not available         via HTTPS, Firefox will fall back to HTTP.
      - Firefox now blocks third-party cookie access when Enhanced         Tracking Protection's Strict mode is enabled.
      - Firefox now has a new anti-tracking feature, Bounce         Tracking Protection, which is now available in Enhanced         Tracking Protection's 'Strict' mode. This feature detects         bounce trackers based on their redirect behavior and         periodically purges their cookies and site data to block         tracking.
      - Firefox now enforces certificate transparency, requiring         web servers to provide sufficient proof that their         certificates were publicly disclosed before they will be         trusted. This only affects servers using certificates issued         by a certificate authority in Mozilla's Root CA Program.
      - Smartblock Embeds allows users to selectively unblock         certain social media embeds that are blocked in ETP Strict         and Private Browsing modes. Currently, support is limited to         a few embed types, with more to be added in future updates.
      - Firefox now upgrades page loads to HTTPS by default and         gracefully falls back to HTTP if the secure connection fails.
        This behavior is known as HTTPS-First.
      - The 'Copy Without Site Tracking' menu item was renamed to         'Copy Clean Link' to help clarify expectations around what         the feature does. 'Copy Clean Link' is a list based approach         to remove - known tracking parameters from links. This option         can also now be used on plain text links.
      - The Clear browsing data and cookies dialog now allows         clearing saved form info separately from browsing history.

    Translations:

      - Firefox now allows translating selected text portions to         different languages after a full-page translation.
      - Full-Page Translations are now available within Firefox         extension pages that start with the moz-extension:// URL         scheme.
      - When suggesting a default translation language, Firefox         will now take into consideration languages you have         previously used for translations.
      - Added support for many new languages in Firefox         translation.

    Windows:

      - Canvas2D switched from Direct2D to a platform independent         acceleration backend on Windows.
      - Hardware-accelerated playback of HEVC video content is now         supported on Windows.
      - Firefox on Windows 11 now uses acrylic-style menus for         popup windows, which better match the operating systems         aesthetic. (bmo#None)

    Linux:

      - Firefox now supports touchpad hold gestures on Linux. This         means that kinetic (momentum) scrolling can now be         interrupted by placing two fingers on the touchpad.
        (bmo#None)

    * Developer:

      - Firefox now supports text fragments, which         allows users to link directly to a specific portion of text         in a web document via a special URL fragment.
      - Debugger log-point values are now automatically converted         into profiler markers, making it easy to add information to         the marker timeline directly from the Debugger.
      - The Debugger's directory root is now scoped to the specific         domain where it was set, which aligns with typical usage and         avoids applying it across unrelated domains. This builds on         previous improvements such as a redesigned UI and easier         removal of the root setting. Setting a directory root updates         the Source List to show only the selected directory and its         children. (Learn more)
      - The Network Blocking feature in the Network panel now         blocks HTTP requests in addition to blocking responses.
        - The Network panel displays information about Early Hints,         including a dedicated indicator for the 103 HTTP status code         in the user interface.
      - The Network panel now allows overriding network request         responses with local files.
      - The filter setting in the Network panel is now preserved         across DevTools Toolbox sessions.
      - A new column has been added to the Network panel to display         the full path of the request URL. This enhancement makes         helps developers quickly view and analyze complete request         paths.
      - Introduced a new console command `$$$` that allows         searching the page, including within shadow roots.
      - Improved support for debugging web extensions, such as         automatically reloading the web extension's source code in         the Debugger when the extension is reloaded. Workers are now         available in the Console panels context selector and         breakpoints function correctly in content scripts.
      - In the Inspector Fonts panel, we now display fonts         metadata, like the font version, designer, vendor, license,         etc.
      - Added support for the import map integrity field, allowing         you to ensure the integrity of dynamically or statically         imported modules.
      - Implemented support for `Error.isError`, enabling brand         checks to determine whether an object is an instance of         Error. (Learn more)
      - Added support for the `error.captureStackTrace` extension         to improve compatibility with other browsers. (Learn more)           [5]: http://github.com/tc39/proposal-error-         capturestacktrace (bmo#None)

      * Enterprise:

      - The UserMessaging policy has been updated with         a new option to allow disabling Firefox Labs in preferences.
      - The Preferences policy has been updated to allow setting         the preference security.pki.certificate_transparency.mode.
      - HTTPS-First is now on by default. You can manage this         behavior using the HttpsOnlyMode and HttpAllowlist policies.
      - An internal change has been made to Firefox that removes         `XPCOMUtils.defineLazyGetter`. For most people, this         shouldn't matter, but if you encounter problems with         AutoConfig or third party software like PolicyPak, this might         be the cause. You'll need to reach out to your provider.
      - Firefox now supports the Content Analysis SDK for         integrating DLP software. For more information, see this         post.
      - The SearchEngines policy is now available on all versions         of Firefox (not just the ESR).

    * Fixed: Various security fixes.

      MFSA 2025-51 (bsc#1244670)
      * CVE-2025-6424 (bmo#1966423)         Use-after-free in FontFaceSet
      * CVE-2025-6425 (bmo#1717672)         The WebCompat WebExtension shipped with Firefox exposed a         persistent UUID
      * CVE-2025-6426 (bmo#1964385)         No warning when opening executable terminal files on macOS
      * CVE-2025-6427 (bmo#1966927)         connect-src Content Security Policy restriction could be         bypassed
      * CVE-2025-6428 (bmo#1970151)         Firefox for Android opened URLs specified in a link         querystring parameter
      * CVE-2025-6429 (bmo#1970658)         Incorrect parsing of URLs could have allowed embedding of         youtube.com
      * CVE-2025-6430 (bmo#1971140)         Content-Disposition header ignored when a file is included in         an embed or object tag
      * CVE-2025-6431 (bmo#1942716)         The prompt in Firefox for Android that asks before opening a         link in an external application could be bypassed
      * CVE-2025-6432 (bmo#1943804)         DNS Requests leaked outside of a configured SOCKS proxy
      * CVE-2025-6433 (bmo#1954033)         WebAuthn would allow a user to sign a challenge on a webpage         with an invalid TLS certificate
      * CVE-2025-6434 (bmo#1955182)         HTTPS-Only exception screen lacked anti-clickjacking delay
      * CVE-2025-6435 (bmo#1950056, bmo#1961777)         Save as in Devtools could download files without sanitizing         the extension
      * CVE-2025-6436 (bmo#1941377, bmo#1960948, bmo#1966187,         bmo#1966505, bmo#1970764)         Memory safety bugs fixed in Firefox 140 and Thunderbird 140

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-c0d9be4e68 advisory.

    Update to 128.12.0

    * https://www.thunderbird.net/en-US/thunderbird/128.12.0esr/releasenotes/
    * https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-8e4e6cf21e advisory.

    Update to 128.12.0

    * https://www.thunderbird.net/en-US/thunderbird/128.12.0esr/releasenotes/
    * https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 128.12. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-55 advisory.

  - The executable file warning did not warn users before opening files with the <code>terminal</code>     extension.  This bug only affects Thunderbird for macOS. Other versions of Thunderbird are unaffected.
    (CVE-2025-6426)

  - A use-after-free in FontFaceSet resulted in a potentially exploitable crash. (CVE-2025-6424)

  - An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID     that identified the browser, and persisted between containers and normal/private browsing mode, but not     profiles. (CVE-2025-6425)

  - Thunderbird could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing     the URL specified in an <code>embed</code> tag.  This could have bypassed website security checks that     restricted which domains users were allowed to embed. (CVE-2025-6429)

  - When a file download is specified via the <code>Content-Disposition</code> header, that directive would be     ignored if the file was included via a <code><embed></code> or <code><object></code> tag,     potentially making a website vulnerable to a cross-site scripting attack. (CVE-2025-6430)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote Windows host is prior to 128.12. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-55 advisory.

  - The executable file warning did not warn users before opening files with the <code>terminal</code>     extension.  This bug only affects Thunderbird for macOS. Other versions of Thunderbird are unaffected.
    (CVE-2025-6426)

  - A use-after-free in FontFaceSet resulted in a potentially exploitable crash. (CVE-2025-6424)

  - An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID     that identified the browser, and persisted between containers and normal/private browsing mode, but not     profiles. (CVE-2025-6425)

  - Thunderbird could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing     the URL specified in an <code>embed</code> tag.  This could have bypassed website security checks that     restricted which domains users were allowed to embed. (CVE-2025-6429)

  - When a file download is specified via the <code>Content-Disposition</code> header, that directive would be     ignored if the file was included via a <code><embed></code> or <code><object></code> tag,     potentially making a website vulnerable to a cross-site scripting attack. (CVE-2025-6430)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote Windows host is prior to 140.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-54 advisory.

  - If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was     able to provide a WebAuthn challenge that the user would be prompted to complete.  This is in violation of     the WebAuthN spec which requires a secure transport established without errors. (CVE-2025-6433)

  - A use-after-free in FontFaceSet resulted in a potentially exploitable crash. (CVE-2025-6424)

  - An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID     that identified the browser, and persisted between containers and normal/private browsing mode, but not     profiles. (CVE-2025-6425)

  - The executable file warning did not warn users before opening files with the <code>terminal</code>     extension.  This bug only affects Thunderbird for macOS. Other versions of Thunderbird are unaffected.
    (CVE-2025-6426)

  - An attacker was able to bypass the <code>connect-src</code> directive of a Content Security Policy by     manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools.
    (CVE-2025-6427)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 140.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-54 advisory.

  - If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was     able to provide a WebAuthn challenge that the user would be prompted to complete.  This is in violation of     the WebAuthN spec which requires a secure transport established without errors. (CVE-2025-6433)

  - A use-after-free in FontFaceSet resulted in a potentially exploitable crash. (CVE-2025-6424)

  - An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID     that identified the browser, and persisted between containers and normal/private browsing mode, but not     profiles. (CVE-2025-6425)

  - The executable file warning did not warn users before opening files with the <code>terminal</code>     extension.  This bug only affects Thunderbird for macOS. Other versions of Thunderbird are unaffected.
    (CVE-2025-6426)

  - An attacker was able to bypass the <code>connect-src</code> directive of a Content Security Policy by     manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools.
    (CVE-2025-6427)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02122-1 advisory.

    Update to MozillaFirefox 128.12.0 (MFSA 2025-23, bsc#1244670):

    - CVE-2025-6424: Use-after-free in FontFaceSet
    - CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID
    - CVE-2025-6426: No warning when opening executable terminal files on macOS
    - CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com
    - CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02123-1 advisory.

    Update to MozillaFirefox 128.12.0 (MFSA 2025-23, bsc#1244670):

    - CVE-2025-6424: Use-after-free in FontFaceSet
    - CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID
    - CVE-2025-6426: No warning when opening executable terminal files on macOS
    - CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com
    - CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-1605ec3e86 advisory.

    - Updated to latest upstream (140.0)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-6bffc34b8d advisory.

    - Updated to latest upstream (140.0)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of mozilla-firefox installed on the remote host is prior to 140.0esr. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2025-175-02 advisory.

    New mozilla-firefox packages are available for Slackware 15.0 and -current to fix security issues.

Tenable has extracted the preceding description block directly from the mozilla-firefox security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 128.12. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-53 advisory.

  - A use-after-free in FontFaceSet resulted in a potentially exploitable crash. (CVE-2025-6424)

  - An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID     that identified the browser, and persisted between containers and normal/private browsing mode, but not     profiles. (CVE-2025-6425)

  - The executable file warning did not warn users before opening files with the <code>terminal</code>     extension.  This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.
    (CVE-2025-6426)

  - Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the     URL specified in an <code>embed</code> tag.  This could have bypassed website security checks that     restricted which domains users were allowed to embed. (CVE-2025-6429)

  - When a file download is specified via the <code>Content-Disposition</code> header, that directive would be     ignored if the file was included via a <code><embed></code> or <code><object></code> tag,     potentially making a website vulnerable to a cross-site scripting attack. (CVE-2025-6430)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox ESR installed on the remote Windows host is prior to 128.12. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-53 advisory.

  - A use-after-free in FontFaceSet resulted in a potentially exploitable crash. (CVE-2025-6424)

  - An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID     that identified the browser, and persisted between containers and normal/private browsing mode, but not     profiles. (CVE-2025-6425)

  - The executable file warning did not warn users before opening files with the <code>terminal</code>     extension.  This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.
    (CVE-2025-6426)

  - Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the     URL specified in an <code>embed</code> tag.  This could have bypassed website security checks that     restricted which domains users were allowed to embed. (CVE-2025-6429)

  - When a file download is specified via the <code>Content-Disposition</code> header, that directive would be     ignored if the file was included via a <code><embed></code> or <code><object></code> tag,     potentially making a website vulnerable to a cross-site scripting attack. (CVE-2025-6430)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote Windows host is prior to 140.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-51 advisory.

  - Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort some of these could have been exploited to run     arbitrary code. (CVE-2025-6436)

  - A use-after-free in FontFaceSet resulted in a potentially exploitable crash. (CVE-2025-6424)

  - An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID     that identified the browser, and persisted between containers and normal/private browsing mode, but not     profiles. (CVE-2025-6425)

  - The executable file warning did not warn users before opening files with the <code>terminal</code>     extension.  This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.
    (CVE-2025-6426)

  - An attacker was able to bypass the <code>connect-src</code> directive of a Content Security Policy by     manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools.
    (CVE-2025-6427)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 140.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-51 advisory.

  - Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort some of these could have been exploited to run     arbitrary code. (CVE-2025-6436)

  - A use-after-free in FontFaceSet resulted in a potentially exploitable crash. (CVE-2025-6424)

  - An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID     that identified the browser, and persisted between containers and normal/private browsing mode, but not     profiles. (CVE-2025-6425)

  - The executable file warning did not warn users before opening files with the <code>terminal</code>     extension.  This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.
    (CVE-2025-6426)

  - An attacker was able to bypass the <code>connect-src</code> directive of a Content Security Policy by     manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools.
    (CVE-2025-6427)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
243222	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaThunderbird (SUSE-SU-2025:02546-1)	Nessus	SuSE Local Security Checks	critical
242865	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaFirefox, MozillaFirefox-branding-SLE (SUSE-SU-2025:02529-1)	Nessus	SuSE Local Security Checks	critical
242691	Ubuntu 22.04 LTS : Thunderbird vulnerabilities (USN-7663-1)	Nessus	Ubuntu Local Security Checks	critical
242370	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaThunderbird (SUSE-SU-2025:02368-1)	Nessus	SuSE Local Security Checks	critical
242306	SUSE SLES12 Security Update : MozillaFirefox, MozillaFirefox-branding-SLE (SUSE-SU-2025:02339-1)	Nessus	SuSE Local Security Checks	critical
241937	Fedora 42 : thunderbird (2025-c0d9be4e68)	Nessus	Fedora Local Security Checks	critical
241695	Fedora 41 : thunderbird (2025-8e4e6cf21e)	Nessus	Fedora Local Security Checks	critical
241213	Mozilla Thunderbird < 128.12	Nessus	MacOS X Local Security Checks	critical
241212	Mozilla Thunderbird < 128.12	Nessus	Windows	critical
241211	Mozilla Thunderbird < 140.0	Nessus	Windows	critical
241210	Mozilla Thunderbird < 140.0	Nessus	MacOS X Local Security Checks	critical
240735	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaFirefox (SUSE-SU-2025:02122-1)	Nessus	SuSE Local Security Checks	critical
240713	SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2025:02123-1)	Nessus	SuSE Local Security Checks	critical
240629	Fedora 41 : firefox (2025-1605ec3e86)	Nessus	Fedora Local Security Checks	critical
240515	Fedora 42 : firefox (2025-6bffc34b8d)	Nessus	Fedora Local Security Checks	high
240489	Slackware Linux 15.0 / current mozilla-firefox Multiple Vulnerabilities (SSA:2025-175-02)	Nessus	Slackware Local Security Checks	high
240336	Mozilla Firefox ESR < 128.12	Nessus	MacOS X Local Security Checks	critical
240335	Mozilla Firefox ESR < 128.12	Nessus	Windows	critical
240334	Mozilla Firefox < 140.0	Nessus	Windows	critical
240333	Mozilla Firefox < 140.0	Nessus	MacOS X Local Security Checks	critical

Detections

Analytics

CVE-2025-6426

high

Tenable Plugins

Coming Soon

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

high

critical

critical

critical

critical