CVE-2025-6433Improper Certificate Validation in Mozilla Firefox

CWE-295Improper Certificate Validation9 documents8 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 80.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxMozilla Thunderbird
Timeline
PublishedJun 24
Latest updateFeb 2

Description

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability was fixed in Firefox 140 and Thunderbird 140.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDmozilla/firefox< 140.0
Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1

🔴Vulnerability Details

3
GHSA
GHSA-7f3m-mqm5-5x2c: If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the u2025-06-26
OSV
CVE-2025-6433: If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the u2025-06-24
CVEList
WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate2025-06-24

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2026-02-02
Red Hat
firefox: WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate2025-06-24
Debian
CVE-2025-6433: firefox - If a user visited a webpage with an invalid TLS certificate, and granted an exce...2025
Mozilla
Mozilla Foundation Security Advisory 2025-54: CVE-2025-6433
Mozilla
Mozilla Foundation Security Advisory 2025-51: CVE-2025-6433
CVE-2025-6433 — Improper Certificate Validation | cvebase