Description
Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability was fixed in Firefox 139 and Thunderbird 139.
Published: 2025-05-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Content Injection
Action: Apply Patches
AI Analysis

Impact

A flaw in the developer tools caused the preview of network responses to ignore the Content‑Security‑Policy headers that would normally restrict what content can be displayed or executed. Because CSP was bypassed, a malicious page could have caused the browser to load or execute attacker‑controlled resources when a developer inspected responses in the network panel, leading to potential script injection or other content‑injection attacks within the user’s browser context.

Affected Systems

Mozilla products affected by this issue include Firefox and Thunderbird. All releases prior to version 139 are vulnerable; the vulnerability was corrected in Firefox 139 and Thunderbird 139. Users who continue to use older builds are at risk.

Risk and Exploitability

The severity of the flaw is reflected in a CVSS score of 6.5, indicating moderate risk. The EPSS score of less than 1 % suggests the probability of widespread exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a compromised or malicious web page that, when inspected by a developer using the network preview tool, triggers the injection of content bypassing CSP. No privilege escalation or remote code execution outside the browser session is described, and the vulnerability appears confined to the client‑side developer tools environment.

Generated by OpenCVE AI on April 20, 2026 at 18:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Firefox 139 or newer, or Thunderbird 139 or newer, to receive the fixed developer tools behavior.
  • Disable the Network preview feature in developer tools for untrusted content or set `devtools.netlog.enabled` to false to prevent bypass of CSP in DevTools previews.
  • Maintain strict Content‑Security‑Policy headers in your web applications, ensuring that directives like `default-src`, `script-src`, and `object-src` are properly configured to mitigate potential content injection.

Generated by OpenCVE AI on April 20, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18105 Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139 and Thunderbird < 139.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139 and Thunderbird < 139. Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability was fixed in Firefox 139 and Thunderbird 139.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: Devtools' preview ignored CSP headers Devtools' preview ignored CSP headers

Wed, 11 Jun 2025 12:15:00 +0000

Type Values Removed Values Added
Description Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139. Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139 and Thunderbird < 139.
References

Wed, 28 May 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Wed, 28 May 2025 14:45:00 +0000

Type Values Removed Values Added
Title firefox: Devtools' preview ignored CSP headers
Weaknesses CWE-807
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 27 May 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 May 2025 12:45:00 +0000

Type Values Removed Values Added
Description Previewing a response in Devtools ignored CSP headers, which could have allowed content injection attacks. This vulnerability affects Firefox < 139.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:48.968Z

Reserved: 2025-05-27T12:29:29.015Z

Link: CVE-2025-5271

cve-icon Vulnrichment

Updated: 2025-05-27T17:37:27.980Z

cve-icon NVD

Status : Modified

Published: 2025-05-27T13:15:22.923

Modified: 2026-04-13T15:17:05.267

Link: CVE-2025-5271

cve-icon Redhat

Severity : Low

Publid Date: 2025-05-27T12:29:29Z

Links: CVE-2025-5271 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:15:13Z

Weaknesses