CVE-2025-6432

Published: Jun 24, 2025Modified: Jun 17, 2026

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Exploitability: 3.9 / Impact: 4.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This vulnerability was fixed in Firefox 140 and Thunderbird 140.

Affected (1)

Products: Mozilla: Firefox

Mozilla

1 product

Firefox

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 140.0

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (3)

https://bugzilla.mozilla.org/show_bug.cgi?id=1943804

Source: security@mozilla.org

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2025-51/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-54/

Source: security@mozilla.org

Timeline

No history available yet.