CVE-2025-4083

一、漏洞信息
 漏洞编号：[CVE-2025-4083](https://nvd.nist.gov/vuln/detail/CVE-2025-4083)
 漏洞归属组件：[thunderbird](https://gitee.com/src-openeuler/thunderbird)
 漏洞归属的版本：128.2.0,91.12.0
 CVSS V3.0分值：
  BaseScore：N/A None
  Vector：CVSS：3.0/
 漏洞简述：
  A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document s process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10.
 漏洞公开时间：2025-04-29 22:15:35
 漏洞创建时间：2025-04-29 22:43:16
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2025-4083
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| security.mozilla.org | https://bugzilla.mozilla.org/show_bug.cgi?id=1958350 |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2025-28/ |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2025-29/ |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2025-30/ |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2025-31/ |  |
| security.mozilla.org | https://www.mozilla.org/security/advisories/mfsa2025-32/ |  |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4443 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4458 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4460 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4753 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4756 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4751 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4752 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:4797 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7428 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7506 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7507 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7545 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7547 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7543 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7544 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7693 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7691 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7692 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7690 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7689 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7694 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| redhat_bugzilla | https://access.redhat.com/errata/RHSA-2025:7695 | https://bugzilla.redhat.com/show_bug.cgi?id=2362907 |
| firefox | https://bugzilla.mozilla.org/show_bug.cgi?id=1958350 | https://www.mozilla.org/en-US/security/advisories/mfsa2025-32/ |
| anolis |  | https://anas.openanolis.cn/cves/detail/CVE-2025-4083 |
| mageia |  | http://advisories.mageia.org/MGASA-2025-0150.html |
| amazon_linux_explore | https://access.redhat.com/security/cve/CVE-2025-4083 | https://explore.alas.aws.amazon.com/CVE-2025-4083.html |
| amazon_linux_explore | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4083 | https://explore.alas.aws.amazon.com/CVE-2025-4083.html |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
|  |  | https://bugzilla.mozilla.org/show_bug.cgi?id=1958350 |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2025-28/ |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2025-29/ |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2025-30/ |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2025-31/ |  | nvd |
|  |  | https://www.mozilla.org/security/advisories/mfsa2025-32/ |  | nvd |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
  A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document s process instead of the intended frame, potentially enabling a sandbox escape.
 openEuler评分：
  9.1
 Vector：CVSS：3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
 受影响版本排查(受影响/不受影响)：
  1.master(128.12.0):受影响
2.openEuler-24.03-LTS-Next(128.12.0):受影响
3.openEuler-24.03-LTS-SP2(128.11.1):受影响
4.openEuler-20.03-LTS-SP4:不受影响
5.openEuler-22.03-LTS-SP3:不受影响
6.openEuler-22.03-LTS-SP4:不受影响
7.openEuler-24.03-LTS:不受影响
8.openEuler-24.03-LTS-SP1:不受影响

修复是否涉及abi变化(是/否)：
  1.master(128.12.0):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS-SP3:否
4.openEuler-22.03-LTS-SP4:否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next(128.12.0):否
7.openEuler-24.03-LTS-SP1:否
8.openEuler-24.03-LTS-SP2(128.11.1):否

原因说明：
  1.master(128.12.0):正常修复
2.openEuler-24.03-LTS-Next(128.12.0):正常修复
3.openEuler-24.03-LTS-SP2(128.11.1):正常修复
4.openEuler-20.03-LTS-SP4:不受影响-组件不存在
5.openEuler-22.03-LTS-SP3:不受影响-组件不存在
6.openEuler-22.03-LTS-SP4:不受影响-组件不存在
7.openEuler-24.03-LTS:不受影响-组件不存在
8.openEuler-24.03-LTS-SP1:不受影响-组件不存在

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2025-1835

src-openEuler/thunderbird

内容风险标识

评论 (8)

src-openEuler/thunderbird .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2025-4083

评论 (8)

搜索帮助

src-openEuler/thunderbird