{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3033", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-03-31T09:35:30.844Z", "datePublished": "2025-04-01T12:29:04.495Z", "dateUpdated": "2026-04-13T14:29:35.142Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "137", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "137", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. \n*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 137 and Thunderbird 137.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "After selecting a malicious Windows <code>.url</code> shortcut from the local filesystem, an unexpected file could be uploaded. <br>*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 137 and Thunderbird 137."}]}], "title": "Opening local .url files could lead to another file being opened", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950056"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-23/"}], "credits": [{"lang": "en", "value": "Ameen Basha M K"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:35.142Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-73", "lang": "en", "description": "CWE-73 External Control of File Name or Path"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-01T18:32:22.387263Z", "id": "CVE-2025-3033", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T18:33:39.492Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-3033", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-01T18:32:22.387263Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T18:33:34.355Z"}}], "cna": {"title": "Opening local .url files could lead to another file being opened", "credits": [{"lang": "en", "value": "Ameen Basha M K"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "137", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "137", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950056"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-23/"}], "descriptions": [{"lang": "en", "value": "After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. \n*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 137 and Thunderbird 137.", "supportingMedia": [{"type": "text/html", "value": "After selecting a malicious Windows <code>.url</code> shortcut from the local filesystem, an unexpected file could be uploaded. <br>*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 137 and Thunderbird 137.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:35.142Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3033", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:29:35.142Z", "dateReserved": "2025-03-31T09:35:30.844Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-04-01T12:29:04.495Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "1AD89C53-6274-4CA4-B450-444E8D6F82EB", "versionEndExcluding": "137.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "A16B6929-C99F-4E1A-994B-44543C0D5B5A", "versionEndExcluding": "137.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "After selecting a malicious Windows `.url` shortcut from the local filesystem, an unexpected file could be uploaded. \n*This bug only affects Firefox on Windows. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 137 and Thunderbird 137."}, {"lang": "es", "value": "Tras seleccionar un acceso directo malicioso de Windows `.url` desde el sistema de archivos local, podr\u00eda cargarse un archivo inesperado. *Este error solo afecta a Firefox en Windows. Otros sistemas operativos no se ven afectados.* Esta vulnerabilidad afecta a Firefox (versi\u00f3n anterior a la 137) y Thunderbird (versi\u00f3n anterior a la 137)."}], "id": "CVE-2025-3033", "lastModified": "2026-04-13T15:16:57.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-01T13:15:41.697", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950056"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-20/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-23/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:36:48.743714+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox\u202f137 or later and to Thunderbird\u202f137 or later to apply the vendor fix.", "If a patch cannot be installed immediately, configure the browser or use a security extension to block uploads that originate from .url shortcuts.", "On the server side, enforce strict validation of uploaded file types and reject unexpected files or sizes."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Upload"}, "threat_synthesis": {"affected_systems": "Versions prior to Firefox\u00a0137 and Thunderbird\u00a0137 running on Windows are affected. All other operating systems and newer releases are not vulnerable.", "description_and_impact": "Firefox and Thunderbird on Windows allow a local Windows .url shortcut to be chosen as the source for a file upload, but the shortcut points to another file on the system. The application then uploads the file referenced by the shortcut instead of the file originally selected, resulting in an arbitrary local file being submitted to the web server. This flaw corresponds to CWE\u201173, reflecting improper handling of system call arguments for local file access.", "risk_and_exploitability": "The CVSS score of 7.7 indicates high severity, while the EPSS score of less than 1\u202f% suggests a low exploitation probability. The flaw is not listed in the CISA KEV catalog. Exploitation requires the victim to select a malicious .url file locally; after the file is chosen, the referenced file is uploaded automatically."}}}}, "created": "2026-04-20T20:45:16.932942+00:00", "updated": "2026-04-20T20:45:16.932952+00:00", "vendors": []}