CVE-2025-6429Improper Encoding or Escaping of Output in Mozilla Firefox

CWE-116Improper Encoding or Escaping of OutputCWE-706Use of Incorrectly-Resolved Name or Reference11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 69.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedJun 24
Latest updateJul 22

Description

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDmozilla/firefox< 128.12.0+1
Debianmozilla/thunderbird< 1:128.12.0esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-8r38-4g4q-hgvw: Firefox could have incorrectly parsed a URL and rewritten it to the youtube2025-06-26
CVEList
Incorrect parsing of URLs could have allowed embedding of youtube.com2025-06-24
OSV
CVE-2025-6429: Firefox could have incorrectly parsed a URL and rewritten it to the youtube2025-06-24

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
firefox: thunderbird: Incorrect parsing of URLs could have allowed embedding of youtube.com2025-06-24
Debian
CVE-2025-6429: firefox - Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com ...2025
Mozilla
Mozilla Foundation Security Advisory 2025-54: CVE-2025-6429
Mozilla
Mozilla Foundation Security Advisory 2025-55: CVE-2025-6429
CVE-2025-6429 — Improper Encoding or Escaping of Output | cvebase