CVE-2025-1018

Medium

Published: 04 February 2025

Published

04 February 2025

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Score 0.0019 39.8th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

The fullscreen notification is prematurely hidden when fullscreen is re-requested quickly by the user. This could have been leveraged to perform a potential spoofing attack. This vulnerability was fixed in Firefox 135 and Thunderbird 135.

Security Summary

CVE-2025-1018 is a vulnerability in the fullscreen notification handling mechanism within Mozilla Firefox and Thunderbird. The issue occurs when the fullscreen notification is prematurely hidden upon quick re-requests for fullscreen by the user, enabling a potential spoofing attack. This flaw affects versions of Firefox and Thunderbird prior to 135 and is associated with CWE-1021, with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or specific user interaction beyond normal browser usage. Successful exploitation allows attackers to achieve low-impact integrity violations through spoofing, such as manipulating fullscreen notifications to deceive users.

Mozilla fixed this vulnerability in Firefox 135 and Thunderbird 135. Mitigation details are provided in security advisories MFSA 2025-07 and MFSA 2025-11, along with the Bugzilla entry at https://bugzilla.mozilla.org/show_bug.cgi?id=1910818.

Details

CWE(s): CWE-1021

Affected Products

mozilla

firefox

≤ 135.0

mozilla

thunderbird

131.0 — 135.0

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1910818
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-07/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-11/
Vendor Advisory · security@mozilla.org