{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6434", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-06-20T14:51:40.757Z", "datePublished": "2025-06-24T12:28:04.375Z", "dateUpdated": "2026-04-13T14:31:11.320Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140."}]}], "title": "HTTPS-Only exception screen lacked anti-clickjacking delay", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955182"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"}], "credits": [{"lang": "en", "value": "hafiizh & kang ali"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:11.320Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1021", "lang": "en", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-25T14:20:21.535910Z", "id": "CVE-2025-6434", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-25T14:23:05.002Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-6434", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-25T14:20:21.535910Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-25T14:20:24.853Z"}}], "cna": {"title": "HTTPS-Only exception screen lacked anti-clickjacking delay", "credits": [{"lang": "en", "value": "hafiizh & kang ali"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955182"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"}], "descriptions": [{"lang": "en", "value": "The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140.", "supportingMedia": [{"type": "text/html", "value": "The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:11.320Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6434", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:31:11.320Z", "dateReserved": "2025-06-20T14:51:40.757Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-06-24T12:28:04.375Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "77D2BF2A-26A3-4664-93B5-B41BCF17AC9E", "versionEndExcluding": "140.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140."}, {"lang": "es", "value": "La p\u00e1gina de excepci\u00f3n de la funci\u00f3n Solo HTTPS, que se mostraba al abrir un sitio web mediante HTTP, carec\u00eda de un retardo anti-clickjacking, lo que potencialmente permit\u00eda a un atacante enga\u00f1ar al usuario para que concediera una excepci\u00f3n y cargara una p\u00e1gina web mediante HTTP. Esta vulnerabilidad afecta a Firefox anterior a la versi\u00f3n 140."}], "id": "CVE-2025-6434", "lastModified": "2026-04-13T15:17:07.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-06-24T13:15:24.447", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955182"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: HTTPS-Only exception screen lacked anti-clickjacking delay", "id": "2374566", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374566"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "details": ["The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140."], "name": "CVE-2025-6434", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-24T12:28:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-6434\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-6434\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1955182\nhttps://www.mozilla.org/security/advisories/mfsa2025-51/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-20T16:57:24.948228+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to version 140 or later.", "Upgrade Thunderbird to version 140 or later.", "Educate users to verify the authenticity of HTTPS\u2011Only exception prompts before accepting the exception."], "summary": {"action": "Patch", "impact": "Potential downgrade of HTTPS to HTTP via clickjacking during exception prompt"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Mozilla Thunderbird versions prior to 140 were impacted. The vulnerability was fixed in Firefox 140 and Thunderbird 140, so any release before these versions is considered vulnerable.", "description_and_impact": "The HTTPS-Only exception page in Firefox and Thunderbird lacked an anti-clickjacking delay, allowing an attacker to craft a page that tricks a user into granting a non-HTTPS exception. This could lead to the browser loading the site over HTTP, exposing the user to data interception, credential theft, or other downgrade attacks. The weakness corresponds to CWE-1021, a user interface manipulation flaw that requires user interaction to be exploited.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1\u202f% shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely exploited yet. Exploitation requires a user to interact with a maliciously crafted page that presents the exception screen; once the user clicks to accept the exception, the browser will load the HTTP site, potentially enabling further attacks."}}}}, "created": "2025-07-06T22:16:27.366202+00:00", "updated": "2026-04-20T17:00:12.757275+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}