CVE-2025-6429

Published: Jun 24, 2025Modified: Apr 13, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Affected (2)

Products: Mozilla: Firefox

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 140.0
Mozilla Firefox	Before 128.12.0

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (7)

https://bugzilla.mozilla.org/show_bug.cgi?id=1970658

Source: security@mozilla.org

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2025-51/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-53/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-54/

Source: security@mozilla.org

https://www.mozilla.org/security/advisories/mfsa2025-55/

Source: security@mozilla.org

https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.