CVE-2025-5270 — Cleartext Transmission of Sensitive Info in Mozilla Firefox

CWE-319 — Cleartext Transmission of Sensitive Info9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 61.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedMay 27

Latest updateFeb 2

Description

In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability was fixed in Firefox 139 and Thunderbird 139.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDmozilla/firefox< 139.0

▶Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1

🔴Vulnerability Details

OSV

CVE-2025-5270: In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled↗2025-05-27

▶

GHSA

GHSA-hf6r-227w-qwf9: In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled↗2025-05-27

▶

CVEList

SNI was sometimes unencrypted↗2025-05-27

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Red Hat

firefox: SNI was sometimes unencrypted↗2025-05-27

▶

Debian

CVE-2025-5270: firefox - In certain cases, SNI could have been sent unencrypted even when encrypted DNS w...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-42: CVE-2025-5270↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-45: CVE-2025-5270↗

▶