CVE-2025-8031

Description

The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

PUBLISHED Reserved 2025-07-22 | Published 2025-07-22 | Updated 2026-04-13 | Assigner mozilla

Product status

Credits

Tom Schuster

References

lists.debian.org/debian-lts-announce/2025/07/msg00016.html

bugzilla.mozilla.org/show_bug.cgi?id=1971719

www.mozilla.org/security/advisories/mfsa2025-56/

www.mozilla.org/security/advisories/mfsa2025-58/

www.mozilla.org/security/advisories/mfsa2025-59/

www.mozilla.org/security/advisories/mfsa2025-61/

www.mozilla.org/security/advisories/mfsa2025-62/

www.mozilla.org/security/advisories/mfsa2025-63/

cve.org (CVE-2025-8031)

nvd.nist.gov (CVE-2025-8031)

Download JSON