CVE-2025-6427 | THREATINT

Description

An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability was fixed in Firefox 140 and Thunderbird 140.

PUBLISHED Reserved 2025-06-20 | Published 2025-06-24 | Updated 2026-04-13 | Assigner mozilla

Product status

140 (rpm)

unaffected

140 (rpm)

unaffected

Credits

Alan Li (lebr0nli)

References

bugzilla.mozilla.org/show_bug.cgi?id=1966927

www.mozilla.org/security/advisories/mfsa2025-51/

www.mozilla.org/security/advisories/mfsa2025-54/

cve.org (CVE-2025-6427)

nvd.nist.gov (CVE-2025-6427)

Download JSON