CVE-2025-4088
Description
A security vulnerability in Thunderbird allowed malicious sites to use redirects to send credentialed requests to arbitrary endpoints on any site that had invoked the Storage Access API. This enabled potential Cross-Site Request Forgery attacks across origins. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Thunderbird redirects after Storage Access API invocation enable cross-site request forgery via credentialed requests.
Vulnerability
Description
CVE-2025-4088 is a cross-site request forgery (CSRF) vulnerability in Thunderbird that arises from improper handling of the Storage Access API (SAA). The bug stems from the fact that when a site has been granted storage access via the SAA, subsequent cross-origin redirects during fetch requests do not clear the storage access flag. As a result, a malicious site can chain redirects to send credentialed HTTP requests to arbitrary endpoints on any site that had previously invoked the Storage Access API. This behavior violates the expected security guarantee that storage access should be limited to the requesting origin, and the CSRF protection users might expect from third-party cookie restrictions. [1][2][3]
Attack
Vector and Exploitation
Exploitation requires visiting a malicious website (e.g., via a crafted link or advertisement) while the user's browser has granted storage access to some other site (e.g., via the user interacting with an embedded third-party frame). The attacker can then initiate a fetch or navigation sequence that traverses a cross-origin redirect, preserving the storage access token. This lets the attacker forge requests that appear to come from the trusted origin, including authentication credentials or session cookies. No special privileges beyond normal web access are required, but the victim must have previously performed an action that triggered the storage access grant. [3]
Impact
An attacker can perform state-changing operations on behalf of the victim on any site that has previously received storage access, such as posting content, transferring funds, or changing account settings. The severity is rated Medium (CVSS 6.5) because it relies on a pre-existing storage grant and user interaction, but the potential for automated, silent exploitation is significant. The impact is akin to traditional CSRF but amplified by the ability to target multiple origins without requiring the victim to be already authenticated on the target site via third-party cookies. [1][2]
Mitigation
Mozilla fixed this issue in Firefox 138 and Thunderbird 138, released on April 29, 2025. The fix ensures that storage access flags are properly cleared when a cross-origin redirect occurs during a fetch request, thereby preventing the credential-leaking behavior. Users are strongly advised to update their browsers to the latest versions. No workarounds are documented. [1][2]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mozilla.org/security/advisories/mfsa2025-28/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-31/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
0No linked articles in our index yet.