Unencrypted SNI Exposure in Firefox by Mozilla
CVE-2025-5270

7.5HIGH

Key Information:

Vendor: Mozilla
Status: Firefox
Vendor: CVE Published:; 27 May 2025

What is CVE-2025-5270?

A vulnerability exists in specific versions of Firefox where Server Name Indication (SNI) could be transmitted unencrypted, potentially allowing attackers to intercept sensitive information. This issue arises even when encrypted DNS is enabled, exposing users who depend on privacy protections. Users of Firefox versions below 139 are encouraged to update to protect against this exposure.

Affected Version(s)

Firefox < 139

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1910298

https://www.mozilla.org/security/advisories/mfsa2025-42/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2025
Vulnerability Reserved
May 27, 2025

Credit

xiulou