Description
In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability was fixed in Firefox 139 and Thunderbird 139.
Published: 2025-05-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure through unencrypted TLS Server Name Indication
Action: Patch
AI Analysis

Impact

The vulnerability allows the TLS Server Name Indication (SNI) extension to be transmitted without encryption in certain circumstances where DNS traffic is otherwise encrypted. This flaw results in loss of confidentiality, as the domain names requested over TLS can be exposed to anyone who can observe network traffic. The weakness is identified as CWE‑319, Loss of Confidentiality via Unencrypted Communication.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird versions older than 139 are affected. The issue was resolved in Firefox 139 and Thunderbird 139. Users running earlier versions in environments that enable encrypted DNS should be aware that unencrypted SNI may still be sent.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact on confidentiality. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in CISA KEV. The likely attack vector is passive network monitoring of the TLS handshake (inferred from the description) in scenarios where encrypted DNS is expected to protect all TLS metadata. Although this can be observed by adversaries with access to the network path, the overall threat remains limited because the primary effect is informational leakage rather than direct system compromise.

Generated by OpenCVE AI on April 20, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 139 or later
  • Upgrade Thunderbird to version 139 or later
  • If upgrading is not possible, monitor TLS traffic for unencrypted SNI entries or apply network controls that detect and flag such traffic

Generated by OpenCVE AI on April 20, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18106 In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139 and Thunderbird < 139.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139 and Thunderbird < 139. In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability was fixed in Firefox 139 and Thunderbird 139.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: SNI was sometimes unencrypted SNI was sometimes unencrypted

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Jun 2025 12:15:00 +0000

Type Values Removed Values Added
Description In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139. In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139 and Thunderbird < 139.
References

Wed, 28 May 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Wed, 28 May 2025 14:45:00 +0000

Type Values Removed Values Added
Title firefox: SNI was sometimes unencrypted
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 27 May 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-319
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 May 2025 12:45:00 +0000

Type Values Removed Values Added
Description In certain cases, SNI could have been sent unencrypted even when encrypted DNS was enabled. This vulnerability affects Firefox < 139.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:47.210Z

Reserved: 2025-05-27T12:29:28.241Z

Link: CVE-2025-5270

cve-icon Vulnrichment

Updated: 2025-05-27T17:40:36.778Z

cve-icon NVD

Status : Modified

Published: 2025-05-27T13:15:22.823

Modified: 2026-04-13T15:17:05.097

Link: CVE-2025-5270

cve-icon Redhat

Severity : Low

Publid Date: 2025-05-27T12:29:28Z

Links: CVE-2025-5270 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses