Cross-Site Scripting Vulnerability in Firefox Web Browser
CVE-2025-6430
What is CVE-2025-6430?
CVE-2025-6430 is a cross-site scripting (XSS) vulnerability found in the Firefox web browser, specifically affecting versions earlier than 140 and Firefox Extended Support Release (ESR) versions earlier than 128.12. This vulnerability arises from the improper handling of file downloads specified via the Content-Disposition header when these files are embedded using <embed> or <object> HTML tags. As a result, attackers may exploit this flaw to inject malicious scripts, leading to potential unauthorized actions within a victim's browser session. Such exploitation could facilitate harmful consequences for organizations, including data leakage, session hijacking, and the deployment of further malicious payloads.
Potential impact of CVE-2025-6430
-
Unauthorized Access and Data Manipulation: Attackers could inject malicious scripts that manipulate web application data or capture sensitive user information, leading to significant financial loss or reputational damage for organizations.
-
Session Hijacking: Exploiting the vulnerability could allow attackers to hijack user sessions, gaining unauthorized access to accounts and confidential information, posing a severe security risk.
-
Increased Malware Distribution Risks: By leveraging this vulnerability, attackers might deploy additional ransomware or other types of malware, fostering an environment where widespread infection is possible, which would complicate recovery efforts for affected organizations.
Affected Version(s)
Firefox < 140
Firefox ESR < 128.12
Thunderbird < 140
References
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
Vulnerability published
Vulnerability Reserved