Description
An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability was fixed in Firefox 140 and Thunderbird 140.
Published: 2025-06-24
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: CSP Bypass
Action: Immediate Patch
AI Analysis

Impact

An attacker can manipulate subdocuments to bypass the connect-src directive of a Content Security Policy. This bypass allows the attacker to initiate arbitrary network connections from the affected application, potentially exfiltrating data or communicating with malicious servers without the browser’s usual enforcement. The vulnerability also conceals these connections from the Network tab in DevTools, making detection harder. The weakness is characterized by CWE‑693, which deals with compromised control flow integrity or validation concerns.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird versions prior to 140 are affected. The fix is implemented in Firefox 140 and Thunderbird 140, so any installation older than those releases is vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates very high severity. The EPSS score of less than 1 % suggests that, as of now, exploitation is unlikely, and the vulnerability is not listed in CISA’s KEV catalog. However, once exploitation becomes possible, the lack of browser-enforced protection could enable malicious scripts to connect to arbitrary domains, potentially compromising confidentiality and integrity of data transmitted by the affected products.

Generated by OpenCVE AI on April 20, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 140 or newer.
  • Upgrade Mozilla Thunderbird to version 140 or newer.
  • If upgrading immediately is not feasible, review and tighten the application’s Content Security Policy to limit connect-src to only trusted origins and monitor network traffic for unexpected outbound connections.

Generated by OpenCVE AI on April 20, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21379 An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140 and Thunderbird < 140.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140 and Thunderbird < 140. An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability was fixed in Firefox 140 and Thunderbird 140.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: connect-src Content Security Policy restriction could be bypassed connect-src Content Security Policy restriction could be bypassed

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00055}

 epss

{'score': 0.00052}

Mon, 14 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
Description An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140. An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140 and Thunderbird < 140.
References

Thu, 03 Jul 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Thu, 26 Jun 2025 00:30:00 +0000

Type Values Removed Values Added
Title firefox: connect-src Content Security Policy restriction could be bypassed
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Jun 2025 12:45:00 +0000

Type Values Removed Values Added
Description An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:00.300Z

Reserved: 2025-06-20T14:51:31.244Z

Link: CVE-2025-6427

cve-icon Vulnrichment

Updated: 2025-06-25T14:21:00.484Z

cve-icon NVD

Status : Modified

Published: 2025-06-24T13:15:23.650

Modified: 2026-04-13T15:17:06.703

Link: CVE-2025-6427

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-06-24T12:28:01Z

Links: CVE-2025-6427 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses