Description
When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
Published: 2025-01-07
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Man-in-the-middle
Action: Patch immediately
AI Analysis

Impact

A flaw in Alt‑Service (Alt‑Svc) handling caused the ALPN mechanism to fail to validate TLS certificates when the original server redirected to an insecure site. The control failure allowed an attacker to trick a client into believing it was communicating securely with a legitimate server while actually connecting to a malicious server, creating a full interception path for traffic modification or eavesdropping.

Affected Systems

The vulnerability is relevant to Mozilla Firefox versions older than 134 and the Firefox ESR branch older than 128.6, as well as Mozilla Thunderbird versions older than 134 and its ESR branch older than 128.6. Users of those browsers on any platform that uses Alt‑Svc for protocol negotiation are potentially impacted.

Risk and Exploitability

The CVSS score of 4.0 indicates a low overall severity, and the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector, inferred from the description, requires an attacker to control a server that a victim’s browser connects to via Alt‑Svc and to orchestrate an insecure redirect; this makes exploitation non-trivial but still possible in environments with exposed Alt‑Svc endpoints.

Generated by OpenCVE AI on April 20, 2026 at 23:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 134 or newer, or at least to the Firefox ESR 128.6 release.
  • Upgrade Thunderbird to version 134 or newer, or at least to the Thunderbird ESR 128.6 release.
  • If an immediate update is not possible, disable Alt‑Service or ALPN handling in the browser configuration to prevent the protocol from being used until the patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 23:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4011-1 firefox-esr security update
Debian DLA Debian DLA DLA-4012-1 thunderbird security update
Debian DSA Debian DSA DSA-5839-1 firefox-esr security update
Debian DSA Debian DSA DSA-5841-1 thunderbird security update
EUVD EUVD EUVD-2025-1571 When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.
Ubuntu USN Ubuntu USN USN-7191-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
Title firefox: Alt-Svc ALPN validation failure when redirected Alt-Svc ALPN validation failure when redirected

Mon, 03 Nov 2025 23:30:00 +0000

Type Values Removed Values Added
References

Thu, 03 Apr 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Thu, 13 Feb 2025 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.6

Mon, 13 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Description When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird ESR < 128.6. When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

Thu, 09 Jan 2025 14:00:00 +0000

Type Values Removed Values Added
Title firefox: Alt-Svc ALPN validation failure when redirected
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
Weaknesses CWE-601
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_tus:8.4
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 09 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird ESR < 128.6.
References

Wed, 08 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-295
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Description When using Alt-Svc, ALPN did not properly validate certificates when the original server is redirecting to an insecure site. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:01.233Z

Reserved: 2025-01-06T14:49:04.597Z

Link: CVE-2025-0239

cve-icon Vulnrichment

Updated: 2025-11-03T22:33:39.114Z

cve-icon NVD

Status : Modified

Published: 2025-01-07T16:15:38.563

Modified: 2026-04-13T15:16:32.543

Link: CVE-2025-0239

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-07T16:07:06Z

Links: CVE-2025-0239 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses