VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-92ju-8t11-sqf7

Essentials
Severities (57)
References (41)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-92ju-8t11-sqf7
Aliases	CVE-2025-4087
Summary	A vulnerability was identified in Firefox where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and potentially, memory corruption. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird ESR < 128.10.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-125

Out-of-bounds Read

System	Score	Found at
cvssv3	7.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4087.json
epss	0.00031	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00031	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00031	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00031	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00031	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00041	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00041	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00041	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00041	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2025-4087
cvssv3.1	6.5	https://bugzilla.mozilla.org/show_bug.cgi?id=1952465
ssvc	Track	https://bugzilla.mozilla.org/show_bug.cgi?id=1952465
cvssv3.1	5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2025-28
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2025-29
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2025-31
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2025-32
cvssv3.1	6.5	https://www.mozilla.org/security/advisories/mfsa2025-28/
ssvc	Track	https://www.mozilla.org/security/advisories/mfsa2025-28/
cvssv3.1	6.5	https://www.mozilla.org/security/advisories/mfsa2025-29/
ssvc	Track	https://www.mozilla.org/security/advisories/mfsa2025-29/
cvssv3.1	6.5	https://www.mozilla.org/security/advisories/mfsa2025-31/
ssvc	Track	https://www.mozilla.org/security/advisories/mfsa2025-31/
cvssv3.1	6.5	https://www.mozilla.org/security/advisories/mfsa2025-32/
ssvc	Track	https://www.mozilla.org/security/advisories/mfsa2025-32/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4087.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-4087
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-4087
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2362904		https://bugzilla.redhat.com/show_bug.cgi?id=2362904
cpe:2.3:a:mozilla:firefox:::::-:::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:::::-:::*
cpe:2.3:a:mozilla:firefox:::::esr:::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:::::esr:::*
cpe:2.3:a:mozilla:thunderbird:::::-:::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:::::-:::*
cpe:2.3:a:mozilla:thunderbird:::::esr:::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:::::esr:::*
CVE-2025-4087		https://nvd.nist.gov/vuln/detail/CVE-2025-4087
mfsa2025-28		https://www.mozilla.org/en-US/security/advisories/mfsa2025-28
mfsa2025-28		https://www.mozilla.org/security/advisories/mfsa2025-28/
mfsa2025-29		https://www.mozilla.org/en-US/security/advisories/mfsa2025-29
mfsa2025-29		https://www.mozilla.org/security/advisories/mfsa2025-29/
mfsa2025-31		https://www.mozilla.org/en-US/security/advisories/mfsa2025-31
mfsa2025-31		https://www.mozilla.org/security/advisories/mfsa2025-31/
mfsa2025-32		https://www.mozilla.org/en-US/security/advisories/mfsa2025-32
mfsa2025-32		https://www.mozilla.org/security/advisories/mfsa2025-32/
RHSA-2025:4443		https://access.redhat.com/errata/RHSA-2025:4443
RHSA-2025:4458		https://access.redhat.com/errata/RHSA-2025:4458
RHSA-2025:4460		https://access.redhat.com/errata/RHSA-2025:4460
RHSA-2025:4751		https://access.redhat.com/errata/RHSA-2025:4751
RHSA-2025:4752		https://access.redhat.com/errata/RHSA-2025:4752
RHSA-2025:4753		https://access.redhat.com/errata/RHSA-2025:4753
RHSA-2025:4756		https://access.redhat.com/errata/RHSA-2025:4756
RHSA-2025:4797		https://access.redhat.com/errata/RHSA-2025:4797
RHSA-2025:7428		https://access.redhat.com/errata/RHSA-2025:7428
RHSA-2025:7506		https://access.redhat.com/errata/RHSA-2025:7506
RHSA-2025:7507		https://access.redhat.com/errata/RHSA-2025:7507
RHSA-2025:7543		https://access.redhat.com/errata/RHSA-2025:7543
RHSA-2025:7544		https://access.redhat.com/errata/RHSA-2025:7544
RHSA-2025:7545		https://access.redhat.com/errata/RHSA-2025:7545
RHSA-2025:7547		https://access.redhat.com/errata/RHSA-2025:7547
RHSA-2025:7689		https://access.redhat.com/errata/RHSA-2025:7689
RHSA-2025:7690		https://access.redhat.com/errata/RHSA-2025:7690
RHSA-2025:7691		https://access.redhat.com/errata/RHSA-2025:7691
RHSA-2025:7692		https://access.redhat.com/errata/RHSA-2025:7692
RHSA-2025:7693		https://access.redhat.com/errata/RHSA-2025:7693
RHSA-2025:7694		https://access.redhat.com/errata/RHSA-2025:7694
RHSA-2025:7695		https://access.redhat.com/errata/RHSA-2025:7695
show_bug.cgi?id=1952465		https://bugzilla.mozilla.org/show_bug.cgi?id=1952465

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-4087.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1952465

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T15:51:33Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1952465

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-28/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T15:51:33Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-28/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-29/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T15:51:33Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-29/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-31/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T15:51:33Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-31/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-32/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T15:51:33Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-32/

Exploit Prediction Scoring System (EPSS)

Percentile	0.07228
EPSS Score	0.00031
Published At	April 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-04-29T17:00:31.819179+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/4xxx/CVE-2025-4087.json	36.0.0