Content Security Policy Bypass in Firefox by Mozilla
CVE-2025-6427

9.1CRITICAL

Key Information:

Vendor: Mozilla
Status: Firefox; Thunderbird
Vendor: CVE Published:; 24 June 2025

What is CVE-2025-6427?

A vulnerability was discovered in Firefox that allows attackers to bypass the connect-src directive of a Content Security Policy through subdocument manipulation. This exploit could obscure the connections made by the attacker in the Network tab of Developer Tools, effectively hiding malicious activities from users and developers. This issue primarily impacts Firefox versions earlier than 140, posing a risk to web applications that rely on CSP for securing their content and resources.

Affected Version(s)

Firefox < 140

Thunderbird < 140

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1966927

https://www.mozilla.org/security/advisories/mfsa2025-51/

https://www.mozilla.org/security/advisories/mfsa2025-54/

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2025
Vulnerability Reserved
Jun 20, 2025

Credit

Alan Li (lebr0nli)