CVE-2025-8037
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-22

Last updated on: 2026-04-13

Assigner: Mozilla Corporation

Description
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-22
Last Modified
2026-04-13
Generated
2026-05-07
AI Q&A
2025-07-22
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8037
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mozilla firefox From 60.9.0 (exc)
mozilla firefox From 60.9.0 (exc)
mozilla thunderbird to 140.0 (inc)
mozilla thunderbird to 140.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-614 The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs when a nameless cookie with an equals sign in its value shadows other cookies. This means that even if the nameless cookie was set over an insecure HTTP connection and the other cookie had the Secure attribute (intended to protect it), the nameless cookie could override or hide the secure cookie. This affects certain versions of Firefox and Thunderbird before version 141 and ESR before 140.1.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing a less secure cookie to shadow a more secure cookie, potentially leading to security issues such as session hijacking or unauthorized access, because the Secure attribute on the shadowed cookie may be bypassed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart