Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and involves circumventing implemented security measures in the component responsible for handling network cookies. An attacker can exploit an alternative path or mechanism to bypass imposed restrictions without requiring authentication, user interaction, or special privileges. The attack is possible remotely over the network, and low complexity indicates ease of execution.
Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to session data or sensitive information stored in cookies, as well as compromise the integrity and availability of the application using the affected component.
Mozilla Firefox should be updated to version 150 or later, and Mozilla Thunderbird should be updated to version 150 or later. Patches are available through official Mozilla distribution channels in accordance with vendor references (mfsa2026-30, mfsa2026-33).
Mozilla Firefox versions prior to 150 and Mozilla Thunderbird versions prior to 150.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 150.0Mozilla Thunderbird
APPMozilla< 150.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...