CVE-2025-0239 — Improper Certificate Validation in Mozilla Firefox

CWE-295 — Improper Certificate Validation CWE-601 — Open Redirect13 documents8 sources

Severity

4.0MEDIUMNVD

OSV5.4

EPSS

0.0%

top 91.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Mozilla Firefox

Timeline

PublishedJan 7

Latest updateFeb 2

Description

When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.5 | Impact: 1.4

Affected Packages4 packages

▶NVDmozilla/firefox< 128.6.0+1

▶NVDmozilla/thunderbird129.0 — 134.0+1

▶Ubuntumozilla/firefox< 134.0+build1-0ubuntu0.20.04.1

▶Debianmozilla/thunderbird< 1:128.6.0esr-1~deb11u1+3

🔴Vulnerability Details

OSV

firefox vulnerabilities↗2025-01-09

▶

CVEList

Alt-Svc ALPN validation failure when redirected↗2025-01-07

▶

GHSA

GHSA-p4q7-g7ff-823j: When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site↗2025-01-07

▶

OSV

CVE-2025-0239: When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site↗2025-01-07

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Ubuntu

Firefox vulnerabilities↗2025-01-09

▶

Red Hat

firefox: Alt-Svc ALPN validation failure when redirected↗2025-01-07

▶

Debian

CVE-2025-0239: firefox - When using Alt-Svc, ALPN did not properly validate certificates when the origina...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-01: CVE-2025-0239↗

▶