{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13017", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-11-11T15:12:15.878Z", "datePublished": "2025-11-11T15:47:16.109Z", "dateUpdated": "2026-04-13T14:26:28.500Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.5", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "145", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.5", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "145", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."}]}], "title": "Same-origin policy bypass in the DOM: Notifications component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1980904"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"}], "credits": [{"lang": "en", "value": "Mochammad Nosa Shandy Prastyo"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:28.500Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-942", "lang": "en", "description": "CWE-942 Permissive Cross-domain Policy with Untrusted Domains"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:14:51.986912Z", "id": "CVE-2025-13017", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:48:48.269Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-13017", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-12T15:14:51.986912Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942 Permissive Cross-domain Policy with Untrusted Domains"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:16:06.301Z"}}], "cna": {"title": "Same-origin policy bypass in the DOM: Notifications component", "credits": [{"lang": "en", "value": "Mochammad Nosa Shandy Prastyo"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140.5", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "145", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.5", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "145", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1980904"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"}], "descriptions": [{"lang": "en", "value": "Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.", "supportingMedia": [{"type": "text/html", "value": "Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:28.500Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13017", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:26:28.500Z", "dateReserved": "2025-11-11T15:12:15.878Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-11-11T15:47:16.109Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "D77916A6-B8C6-475D-8D77-D5D3AA1E1F43", "versionEndExcluding": "140.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "445D5AED-0882-46FE-A5F1-B7148B923221", "versionEndExcluding": "145.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Same-origin policy bypass in the DOM: Notifications component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5."}], "id": "CVE-2025-13017", "lastModified": "2026-04-13T15:16:42.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-11-11T16:15:38.793", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1980904"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-87/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-88/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2025-90/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2025-91/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-942"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Same-origin policy bypass in the DOM: Notifications component", "id": "2414092", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2414092"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-501", "details": ["No description is available for this CVE."], "name": "CVE-2025-13017", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-11-11T15:47:16Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-13017\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-13017\nhttps://www.mozilla.org/security/advisories/mfsa2025-88/#CVE-2025-13017"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T21:37:32.000490+00:00", "value": {"mitigation_remediation": ["Update Firefox to 145 or ESR\u202f140.5 and Thunderbird to 145 or ESR\u202f140.5 to apply the fix.", "If an immediate upgrade is not possible, block notification permissions for untrusted origins through the browser\u2019s content settings or a policy that restricts the Notifications API.", "As a temporary measure, disable the Notifications component entirely by setting dom.notifications.enabled to false until a patch is available."], "summary": {"action": "Patch Immediately", "impact": "Same\u2011Origin Policy Bypass / Information Disclosure"}, "threat_synthesis": {"affected_systems": "The defect is present in Mozilla Firefox and Mozilla Thunderbird browsers built on the shared Notification API. The issue has been fixed in Firefox\u202f145, Firefox\u202fESR\u202f140.5, Thunderbird\u202f145, and Thunderbird\u202fESR\u202f140.5. Versions prior to these fixed releases are affected unless explicit patching is applied.", "description_and_impact": "The CVE describes a Same\u2011Origin Policy bypass in the browser\u2019s DOM Notifications component. This weakness could allow an attacker who can deliver malicious content to a user to access notification data that was intended to be isolated to the originating domain. The result is potential information disclosure or manipulation of notifications, impacting confidentiality and integrity of user data within the browser environment.", "risk_and_exploitability": "With a CVSS base score of\u202f8.1 the vulnerability is considered high severity, yet the EPSS score is under\u202f1\u202f%, indicating a low probability of widespread exploitation. The issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would typically need to entice a user to visit a malicious web page or local file that triggers the Notifications component, after which cross\u2011origin notification data could be read or altered. The overall risk is high for susceptible installations, but the likelihood of active exploitation remains small."}}}}, "created": "2025-11-12T12:42:35.054302+00:00", "updated": "2026-04-20T21:45:18.965835+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr"]}