WebAuthn Challenge Vulnerability in Mozilla Firefox
CVE-2025-6433

9.8CRITICAL

Key Information:

Vendor: Mozilla
Status: Firefox; Thunderbird
Vendor: CVE Published:; 24 June 2025

What is CVE-2025-6433?

An issue exists in Mozilla Firefox where users visiting a webpage with an invalid TLS certificate may be prompted to complete a WebAuthn challenge. This occurs after users grant an exception for the invalid certificate, effectively allowing bypass of established security protocols as stated in the WebAuthn specification, which mandates a secure transport and unbroken connection during authentication procedures. Consequently, this vulnerability raises significant security concerns regarding improper handling of certificate errors and user authentication.

Affected Version(s)

Firefox 140

Thunderbird 140

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1954033

https://www.mozilla.org/security/advisories/mfsa2025-51/

https://www.mozilla.org/security/advisories/mfsa2025-54/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2025
Vulnerability Reserved
Jun 20, 2025

Credit

Simon

CVE-2025-6433 Data

JSON