CVE-2025-5270
published 2025-05-27CVE-2025-5270: In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability was fixed in Firefox 139 and Thunderbird 139.
high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability was fixed in Firefox 139 and Thunderbird 139.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 139.0-1 (sid) | firefox 139.0-1 (sid) |
| mozilla | firefox | < 139.0 | 139.0 |
| mozilla | firefox | — | — |
| mozilla | thunderbird | >= 0 < 1:140.7.1+build1-0ubuntu0.22.04.1 | 1:140.7.1+build1-0ubuntu0.22.04.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH