CVE-2025-6434 | THREATINT

Description

The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140.

PUBLISHED Reserved 2025-06-20 | Published 2025-06-24 | Updated 2026-04-13 | Assigner mozilla

Product status

140 (rpm)

unaffected

140 (rpm)

unaffected

Credits

hafiizh & kang ali

References

bugzilla.mozilla.org/show_bug.cgi?id=1955182

www.mozilla.org/security/advisories/mfsa2025-51/

www.mozilla.org/security/advisories/mfsa2025-54/

cve.org (CVE-2025-6434)

nvd.nist.gov (CVE-2025-6434)

Download JSON