CVE-2025-4090: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-4090) was discovered in Thunderbird for Android where potentially sensitive library locations were logged via Logcat. The vulnerability was disclosed on April 29, 2025, and affects Firefox versions < 138 and Thunderbird versions < 138 (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The issue is related to improper logging of sensitive library locations through Android's Logcat system. The vulnerability has been classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) (CISA-ADP).

The vulnerability has been rated as having a low impact. The exposure of library locations through Logcat could potentially reveal sensitive information about the application's structure and implementation, which could be useful for attackers in crafting more targeted exploits (Mozilla Advisory).

The vulnerability has been fixed in Firefox 138 and Thunderbird 138. Users are advised to update their applications to these versions or later to mitigate the vulnerability (Mozilla Advisory, Mozilla Advisory).