CVE-2025-6425

Published: Jun 24, 2025Modified: Jun 17, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Affected (3)

Products: Mozilla: Firefox

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 140.0
Mozilla Firefox	Before 115.25.0
Mozilla Firefox	From 116.0 to 128.12.0

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (8)

https://bugzilla.mozilla.org/show_bug.cgi?id=1717672

Source: security@mozilla.org

Issue TrackingVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-51/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-52/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-53/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-54/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-55/

Source: security@mozilla.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.