CVE-2025-8036 in Thunderbird
Summary
by MITRE • 07/23/2025
Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/03/2025
This vulnerability represents a critical cross-origin resource sharing (CORS) bypass mechanism that exploits the caching behavior of Thunderbird and Firefox browsers when handling CORS preflight requests. The flaw occurs when the browser caches CORS preflight responses based on domain names rather than IP addresses, creating a pathway for malicious actors to exploit DNS rebinding techniques. When a user's IP address changes due to network reconfiguration or dynamic IP assignment, the cached preflight responses remain valid and can be reused against new IP addresses, effectively circumventing the intended security boundaries of CORS policies.
The technical implementation of this vulnerability stems from the browser's failure to properly invalidate cached CORS preflight responses when network topology changes occur. Specifically, when a domain name resolves to different IP addresses over time, the browser's CORS implementation maintains cached preflight responses for the original IP address while the user's network connection may have shifted to a different IP address. This creates a scenario where requests intended to be restricted by CORS policies can bypass those restrictions by leveraging the cached responses from the previous IP address context. The vulnerability affects both Firefox and Thunderbird browsers across multiple versions, with the standard Firefox release requiring version 141 and ESR requiring version 140.1 to address the issue, while Thunderbird requires version 141 for both standard and ESR releases.
The operational impact of this vulnerability extends beyond simple cross-origin access bypasses and represents a significant threat to web application security. Attackers can exploit this weakness by manipulating DNS resolution to redirect traffic through different IP addresses while maintaining access to cached preflight responses that were originally valid for different network contexts. This enables unauthorized access to resources that should be restricted based on origin policies, potentially allowing attackers to exfiltrate sensitive data, perform unauthorized operations, or gain elevated privileges within web applications that rely on CORS for security boundaries. The vulnerability particularly affects applications that depend on strict origin validation and can lead to data breaches or privilege escalation attacks when exploited in conjunction with other techniques.
Security mitigations for this vulnerability focus on implementing proper cache invalidation mechanisms when network address changes occur and ensuring that CORS preflight responses are tied to specific IP address contexts rather than relying solely on domain name resolution. Browser vendors have addressed this issue by modifying the caching behavior to properly invalidate CORS preflight responses when IP address changes are detected, requiring updates to the affected browser versions. Organizations should prioritize updating their Firefox and Thunderbird installations to the patched versions to prevent exploitation of this vulnerability. Additionally, network administrators should monitor for potential DNS rebinding attacks and implement proper network segmentation to limit the impact of such vulnerabilities. This issue aligns with CWE-284 Access Control and ATT&CK techniques related to privilege escalation and credential access through web application exploitation, emphasizing the need for comprehensive browser security updates and network security monitoring.