CVE-2025-8037
CRITICALDescription
Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.
Is your site exposed to CVE-2025-8037?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| mozilla | firefox |
| mozilla | firefox |
| mozilla | thunderbird |
| mozilla | thunderbird |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2025-8037? +
How severe is CVE-2025-8037? +
What products are affected by CVE-2025-8037? +
How do I check if I'm vulnerable to CVE-2025-8037? +
Related Vulnerabilities
This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. …
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. …
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, …
This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated …
Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, due to …
In phpipam/phpipam version 1.5.1, the Secure attribute for sensitive cookies in HTTPS sessions is not set. This could cause the …