Mozilla Foundation Security Advisory 2025-91
Security Vulnerabilities fixed in Thunderbird 140.5
- Announced
- November 12, 2025
- Impact
- high
- Products
- Thunderbird
- Fixed in
-
- Thunderbird 140.5
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2025-13012: Race condition in the Graphics component
- Reporter
- Irvan Kurniawan
- Impact
- high
References
#CVE-2025-13016: Incorrect boundary conditions in the JavaScript: WebAssembly component
- Reporter
- Igor Morgenstern
- Impact
- high
References
#CVE-2025-13017: Same-origin policy bypass in the DOM: Notifications component
- Reporter
- Mochammad Nosa Shandy Prastyo
- Impact
- moderate
References
#CVE-2025-13018: Mitigation bypass in the DOM: Security component
- Reporter
- Daniel Veditz
- Impact
- moderate
References
#CVE-2025-13019: Same-origin policy bypass in the DOM: Workers component
- Reporter
- Oskar L
- Impact
- moderate
References
#CVE-2025-13013: Mitigation bypass in the DOM: Core & HTML component
- Reporter
- Masato Kinugawa
- Impact
- moderate
References
#CVE-2025-13020: Use-after-free in the WebRTC: Audio/Video component
- Reporter
- Andreas Pehrson
- Impact
- moderate
References
#CVE-2025-13014: Use-after-free in the Audio/Video component
- Reporter
- Andrew Osmond
- Impact
- moderate
References
#CVE-2025-13015: Spoofing issue in Thunderbird
- Reporter
- Eemeli Aro
- Impact
- low