CVE-2025-6427Protection Mechanism Failure in Mozilla Firefox

CWE-693Protection Mechanism Failure9 documents8 sources
Severity
9.1CRITICALNVD
EPSS
0.1%
top 75.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxMozilla Thunderbird
Timeline
PublishedJun 24
Latest updateFeb 2

Description

An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability was fixed in Firefox 140 and Thunderbird 140.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

NVDmozilla/firefox< 140.0
Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1

🔴Vulnerability Details

3
GHSA
GHSA-823q-pcrj-c4xv: An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments2025-06-26
OSV
CVE-2025-6427: An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments2025-06-24
CVEList
connect-src Content Security Policy restriction could be bypassed2025-06-24

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2026-02-02
Red Hat
firefox: connect-src Content Security Policy restriction could be bypassed2025-06-24
Debian
CVE-2025-6427: firefox - An attacker was able to bypass the `connect-src` directive of a Content Security...2025
Mozilla
Mozilla Foundation Security Advisory 2025-51: CVE-2025-6427
Mozilla
Mozilla Foundation Security Advisory 2025-54: CVE-2025-6427
CVE-2025-6427 — Protection Mechanism Failure in Mozilla | cvebase