{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5271", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-05-27T12:29:29.015Z", "datePublished": "2025-05-27T12:29:29.404Z", "dateUpdated": "2026-04-13T14:30:48.968Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "139", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "139", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability was fixed in Firefox 139 and Thunderbird 139.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability was fixed in Firefox 139 and Thunderbird 139."}]}], "title": "Devtools' preview ignored CSP headers", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1920348"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-42/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-45/"}], "credits": [{"lang": "en", "value": "Satoki Tsuji"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:48.968Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-116", "lang": "en", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-27T17:36:12.567350Z", "id": "CVE-2025-5271", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T17:37:33.657Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-5271", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-27T17:36:12.567350Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T17:37:27.980Z"}}], "cna": {"title": "Devtools' preview ignored CSP headers", "credits": [{"lang": "en", "value": "Satoki Tsuji"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "139", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "139", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1920348"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-42/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-45/"}], "descriptions": [{"lang": "en", "value": "Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability was fixed in Firefox 139 and Thunderbird 139.", "supportingMedia": [{"type": "text/html", "value": "Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability was fixed in Firefox 139 and Thunderbird 139.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:48.968Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5271", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:30:48.968Z", "dateReserved": "2025-05-27T12:29:29.015Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-05-27T12:29:29.404Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "82C74587-41B7-49DB-8B9D-99DE41506023", "versionEndExcluding": "139.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability was fixed in Firefox 139 and Thunderbird 139."}, {"lang": "es", "value": "La vista previa de una respuesta en DevTools ignoraba los encabezados CSP, lo que podr\u00eda haber permitido ataques de inyecci\u00f3n de contenido. Esta vulnerabilidad afecta a Firefox anterior a la versi\u00f3n 139."}], "id": "CVE-2025-5271", "lastModified": "2026-04-13T15:17:05.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-05-27T13:15:22.923", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1920348"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-42/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2025-45/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Devtools' preview ignored CSP headers", "id": "2368753", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2368753"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-807", "details": ["Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139 and Thunderbird < 139.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: Previewing a response in Devtools ignors CSP headers, which could allow content injection attacks."], "name": "CVE-2025-5271", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-05-27T12:29:29Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-5271\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-5271\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1920348\nhttps://www.mozilla.org/security/advisories/mfsa2025-42/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-20T18:12:27.267566+00:00", "value": {"mitigation_remediation": ["Update to Firefox\u00a0139 or newer, or Thunderbird\u00a0139 or newer, to receive the fixed developer tools behavior.", "Disable the Network preview feature in developer tools for untrusted content or set `devtools.netlog.enabled` to false to prevent bypass of CSP in DevTools previews.", "Maintain strict Content\u2011Security\u2011Policy headers in your web applications, ensuring that directives like `default-src`, `script-src`, and `object-src` are properly configured to mitigate potential content injection."], "summary": {"action": "Apply Patches", "impact": "Client\u2011Side Content Injection"}, "threat_synthesis": {"affected_systems": "Mozilla products affected by this issue include Firefox and Thunderbird. All releases prior to version\u00a0139 are vulnerable; the vulnerability was corrected in Firefox\u00a0139 and Thunderbird\u00a0139. Users who continue to use older builds are at risk.", "description_and_impact": "A flaw in the developer tools caused the preview of network responses to ignore the Content\u2011Security\u2011Policy headers that would normally restrict what content can be displayed or executed. Because CSP was bypassed, a malicious page could have caused the browser to load or execute attacker\u2011controlled resources when a developer inspected responses in the network panel, leading to potential script injection or other content\u2011injection attacks within the user\u2019s browser context.", "risk_and_exploitability": "The severity of the flaw is reflected in a CVSS score of\u00a06.5, indicating moderate risk. The EPSS score of less than\u00a01\u202f% suggests the probability of widespread exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a compromised or malicious web page that, when inspected by a developer using the network preview tool, triggers the injection of content bypassing CSP. No privilege escalation or remote code execution outside the browser session is described, and the vulnerability appears confined to the client\u2011side developer tools environment."}}}}, "created": "2026-04-20T18:15:13.620385+00:00", "updated": "2026-04-20T18:15:13.620403+00:00", "vendors": []}