CVE-2025-8038: 
NixOS vulnerability analysis and mitigation

CVE-2025-8038 is a security vulnerability discovered in Mozilla Firefox and Thunderbird browsers where paths were ignored when checking the validity of navigations in a frame. The vulnerability affects Firefox versions prior to 141, Firefox ESR versions prior to 140.1, Thunderbird versions prior to 141, and Thunderbird ESR versions prior to 140.1. The issue was discovered by security researcher Laurin Weger and was publicly disclosed on July 22, 2025 (Mozilla Advisory).

The vulnerability is related to the Content Security Policy (CSP) frame-src directive implementation, where the browser failed to properly enforce path restrictions when validating frame navigations. This vulnerability has been classified with a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue has been categorized under CWE-345 (Insufficient Verification of Data Authenticity) (NVD).

The vulnerability has been assessed as having a 'low' impact by Mozilla. While the specific impact details are limited, the vulnerability could potentially allow bypass of CSP frame-src restrictions, which are security controls designed to prevent unauthorized frame navigation (Mozilla Advisory).

The vulnerability has been fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird ESR 140.1. Users are advised to update their browsers to these versions or later to mitigate the vulnerability (Mozilla Advisory).