{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6435", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-06-20T14:51:42.561Z", "datePublished": "2025-06-24T12:28:04.603Z", "dateUpdated": "2026-04-13T14:31:13.241Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability was fixed in Firefox 140 and Thunderbird 140.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the <code>.download</code> file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability was fixed in Firefox 140 and Thunderbird 140."}]}], "title": "Save as in Devtools could download files without sanitizing the extension", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950056"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1961777"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"}], "credits": [{"lang": "en", "value": "Ameen Basha M K"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:13.241Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-434", "lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-06-24T13:37:09.229042Z", "id": "CVE-2025-6435", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T13:40:15.391Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-6435", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-24T13:37:09.229042Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T13:39:11.564Z"}}], "cna": {"title": "Save as in Devtools could download files without sanitizing the extension", "credits": [{"lang": "en", "value": "Ameen Basha M K"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950056"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1961777"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"}], "descriptions": [{"lang": "en", "value": "If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability was fixed in Firefox 140 and Thunderbird 140.", "supportingMedia": [{"type": "text/html", "value": "If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the <code>.download</code> file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability was fixed in Firefox 140 and Thunderbird 140.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:13.241Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6435", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:31:13.241Z", "dateReserved": "2025-06-20T14:51:42.561Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-06-24T12:28:04.603Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BD96DBF-567C-4E36-844D-B25A4E22CE40", "versionEndExcluding": "140.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE6112E1-F482-4916-BA5E-68868793540F", "versionEndExcluding": "140.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability was fixed in Firefox 140 and Thunderbird 140."}, {"lang": "es", "value": "Si un usuario guard\u00f3 una respuesta desde la pesta\u00f1a Red en DevTools mediante la opci\u00f3n Guardar como del men\u00fa contextual, es posible que el archivo no se haya guardado con la extensi\u00f3n `.download`. Esto podr\u00eda haber provocado que el usuario ejecutara accidentalmente un archivo malicioso. Esta vulnerabilidad afecta a Firefox anterior a la versi\u00f3n 140."}], "id": "CVE-2025-6435", "lastModified": "2026-04-13T15:17:08.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-06-24T13:15:24.560", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950056"}, {"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1961777"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-51/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-54/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Save as in Devtools could download files without sanitizing the extension", "id": "2374557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374557"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "details": ["If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140."], "name": "CVE-2025-6435", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-06-24T12:28:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-6435\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-6435\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1950056\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1961777\nhttps://www.mozilla.org/security/advisories/mfsa2025-51/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-20T16:57:04.214337+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to Firefox 140 or later or Thunderbird 140 or later.", "If an update cannot be applied immediately, avoid using the Devtools Save As feature for unknown or untrusted network responses, and verify file extensions before executing the file.", "Run antivirus or endpoint protection to scan files saved via Devtools before any execution."], "summary": {"action": "Immediate Patch", "impact": "Local code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Mozilla Firefox and Thunderbird versions prior to 140. Users running Firefox 139 or earlier and Thunderbird 139 or earlier are susceptible when they use the Devtools network panel to save responses. Newer releases include a fix that forces the .download extension.", "description_and_impact": "A flaw in Firefox and Thunderbird\u2019s Devtools lets a user save network responses using the Save As option without appending the .download extension. If the original resource was an executable, the file may be saved with a misleading extension and executed inadvertently. This weakness enables local execution of malicious code by exploiting the user\u2019s interaction with the browser\u2019s developer tools. The flaw is identified as CWE\u2011434, reflecting improper handling of untrusted content that can become executable.", "risk_and_exploitability": "With a CVSS score of 8.1, the flaw is assessed as high severity, but the EPSS score of less than 1\u202f% indicates a low likelihood of widespread exploitation. It is not listed in CISA\u2019s KEV catalog. The attack requires a local user to open Devtools and save a response, making it a local, user\u2011initiated vector. Successful exploitation can lead to the execution of arbitrary code on the affected machine."}}}}, "created": "2026-04-20T17:00:12.756852+00:00", "updated": "2026-04-20T17:00:12.756871+00:00", "vendors": []}