CVE-2025-8031Incorrect Default Permissions in Mozilla Firefox

CWE-276Incorrect Default Permissions13 documents8 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 67.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedJul 22
Latest updateFeb 2

Description

The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDmozilla/firefox140.0140.1.0+2
NVDmozilla/thunderbird140.0140.1.0+2
Debianmozilla/thunderbird< 1:128.13.0esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-q32c-9wc5-gv77: The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials2025-07-22
OSV
CVE-2025-8031: The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials2025-07-22
CVEList
Incorrect URL stripping in CSP reports2025-07-22

📋Vendor Advisories

9
Ubuntu
Thunderbird vulnerabilities2026-02-02
Red Hat
firefox: thunderbird: Incorrect URL stripping in CSP reports2025-07-22
Debian
CVE-2025-8031: firefox - The `username:password` part was not correctly stripped from URLs in CSP reports...2025
Mozilla
Mozilla Foundation Security Advisory 2025-63: CVE-2025-8031
Mozilla
Mozilla Foundation Security Advisory 2025-59: CVE-2025-8031
CVE-2025-8031 — Incorrect Default Permissions | cvebase