← Back

CVE-2025-8031

nvd nist
Published: Jul 22, 2025Modified: Apr 13, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Affected (6)

Mozilla
2 products
Firefox
Thunderbird
Configuration A
6 vulnerable
Vulnerable SoftwareAffected Versions
Mozilla
Firefox
Before 141.0
Firefox
Before 128.13.0
Firefox
From 140.0 to 140.1.0
Mozilla
Thunderbird
Before 141.0
Thunderbird
Before 128.13.0
Thunderbird
From 140.0 to 140.1.0

Related CWEs

CWE-276
Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.

References (8)

Source: security@mozilla.org
Permissions Required
Source: security@mozilla.org
Vendor Advisory
Source: security@mozilla.org
Vendor Advisory
Source: security@mozilla.org
Vendor Advisory
Source: security@mozilla.org
Vendor Advisory
Source: security@mozilla.org
Vendor Advisory
Source: security@mozilla.org
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.