CVE-2025-6434UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021UI Misrepresentation / Clickjacking9 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 85.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxMozilla Thunderbird
Timeline
PublishedJun 24
Latest updateFeb 2

Description

The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDmozilla/firefox< 140.0
Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1

🔴Vulnerability Details

3
GHSA
GHSA-87mm-rg9r-h8wm: The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an2025-06-26
OSV
CVE-2025-6434: The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an2025-06-24
CVEList
HTTPS-Only exception screen lacked anti-clickjacking delay2025-06-24

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2026-02-02
Red Hat
firefox: HTTPS-Only exception screen lacked anti-clickjacking delay2025-06-24
Debian
CVE-2025-6434: firefox - The exception page for the HTTPS-Only feature, displayed when a website is opene...2025
Mozilla
Mozilla Foundation Security Advisory 2025-54: CVE-2025-6434
Mozilla
Mozilla Foundation Security Advisory 2025-51: CVE-2025-6434
CVE-2025-6434 — UI Misrepresentation / Clickjacking | cvebase