CVE-2025-6429 - Vulnerability Details

- Incorrect parsing of URLs could have allowed embedding of youtube.com

Description

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Published: 2025-06-24

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Firefox could incorrectly parse a URL in an embed tag and rewrite it so that the resulting domain becomes youtube.com. This misparsing allowed a malicious web page to bypass site‑wide restrictions that limit which domains may be embedded, potentially exposing users to untrusted content. The flaw combines string manipulation failure (CWE‑116) with improper handling of embedded elements (CWE‑706). The impact is the unintended loading of third‑party content, which can compromise the integrity of the browsing experience, although it does not directly lead to code execution.

Affected Systems

Versions of Mozilla Firefox before 140 (or the ESR 128.12 release) and versions of Mozilla Thunderbird before 140 (or the ESR 128.12 release) are susceptible. The CVE list includes Common Platform Enumeration entries that reference Red Hat Enterprise Linux families — 8, 9, and 10 (including rhel_aus, rhel_e4s, rhel_eus, and rhel_tus variants). No other operating systems are explicitly listed in the CVE data, so the impact is confined to platforms where these browsers are deployed according to the provided CPEs.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑to‑high risk, whereas the EPSS score of less than 1% suggests exploitation is considered unlikely at present. The vulnerability is not listed in CISA’s KEV catalog, indicating no widespread exploitation has been observed. Based on the description, the likely attack vector is a crafted web page that includes an embed tag with a URL designed to trigger the misparse; this inference assumes that attackers can control the content served to the victim’s browser. No privileged interaction or remote code execution is required. Exploitation is therefore limited to deceptive manipulation of the browsing context within the victim’s browser.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`128.12`	unaffected	≤ 128.*
`140`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`128.12`	unaffected	≤ 128.*
`140`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
firefox-0:128.12.0-1.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:10073	2025-07-01T00:00:00Z
thunderbird-0:128.12.0-1.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:10195	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.12.0-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:10181	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:128.12.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:10074	2025-07-01T00:00:00Z
thunderbird-0:128.12.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:10246	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
thunderbird-0:128.12.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:10166	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:10182	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
thunderbird-0:128.12.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:10165	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:10184	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
thunderbird-0:128.12.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:10164	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:10183	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
thunderbird-0:128.12.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:10164	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:10183	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
thunderbird-0:128.12.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:10164	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:10183	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 8.8 Telecommunications Update Service
thunderbird-0:128.12.0-1.el8_8	cpe:/a:redhat:rhel_tus:8.8	RHSA-2025:10163	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el8_8	cpe:/a:redhat:rhel_tus:8.8	RHSA-2025:10186	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
thunderbird-0:128.12.0-1.el8_8	cpe:/a:redhat:rhel_e4s:8.8	RHSA-2025:10163	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el8_8	cpe:/a:redhat:rhel_e4s:8.8	RHSA-2025:10186	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 9
firefox-0:128.12.0-1.el9_6	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:10072	2025-07-01T00:00:00Z
thunderbird-0:128.12.0-1.el9_6	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:10196	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
thunderbird-0:128.12.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:10161	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:10187	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
thunderbird-0:128.12.0-1.el9_2	cpe:/a:redhat:rhel_e4s:9.2	RHSA-2025:10160	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el9_2	cpe:/a:redhat:rhel_e4s:9.2	RHSA-2025:10185	2025-07-02T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
thunderbird-0:128.12.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:10159	2025-07-01T00:00:00Z
firefox-0:128.12.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:10188	2025-07-02T00:00:00Z

Vendor	Product	Confidence	Versions
Mozilla	Firefox	—	—
Mozilla	Firefox Esr	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Firefox to version 140 or later, or the ESR 128.12 release or newer.
Upgrade Thunderbird to version 140 or later, or the ESR 128.12 release or newer.
If an upgrade cannot be performed immediately, adjust browser configuration to block or restrict embedded content from third‑party domains, such as by using site‑content restrictions or disabling the embed tag handling in browser settings.

Generated by OpenCVE AI on April 20, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4231-1	firefox-esr security update
Debian DLA	DLA-4239-1	thunderbird security update
Debian DSA	DSA-5950-1	firefox-esr security update
Debian DSA	DSA-5959-1	thunderbird security update
EUVD	EUVD-2025-21378	Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
Ubuntu USN	USN-7663-1	Thunderbird vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00431.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1970658
https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html
https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html
https://nvd.nist.gov/vuln/detail/CVE-2025-6429
https://www.cve.org/CVERecord?id=CVE-2025-6429
https://www.mozilla.org/security/advisories/mfsa2025-51/
https://www.mozilla.org/security/advisories/mfsa2025-53/
https://www.mozilla.org/security/advisories/mfsa2025-53/#CVE-2025-6429
https://www.mozilla.org/security/advisories/mfsa2025-54/
https://www.mozilla.org/security/advisories/mfsa2025-55/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.	Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html

Thu, 30 Oct 2025 16:30:00 +0000

Type	Values Removed	Values Added
Title	firefox: thunderbird: Incorrect parsing of URLs could have allowed embedding of youtube.com	Incorrect parsing of URLs could have allowed embedding of youtube.com

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00035}`	epss `{'score': 0.00062}`

Tue, 15 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00031}`	epss `{'score': 0.00035}`

Mon, 14 Jul 2025 18:45:00 +0000

Type	Values Removed	Values Added
Description	Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.	Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
References		https://www.mozilla.org/security/advisories/mfsa2025-54/ https://www.mozilla.org/security/advisories/mfsa2025-55/

Fri, 04 Jul 2025 02:30:00 +0000

Type	Values Removed	Values Added
Title	firefox: Incorrect parsing of URLs could have allowed embedding of youtube.com	firefox: thunderbird: Incorrect parsing of URLs could have allowed embedding of youtube.com

Thu, 03 Jul 2025 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::*
Vendors & Products		Mozilla Mozilla firefox

Wed, 02 Jul 2025 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:8.8 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_e4s:9.2 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:rhel_tus:8.6 cpe:/a:redhat:rhel_tus:8.8 cpe:/o:redhat:enterprise_linux:10.0 cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus

Wed, 02 Jul 2025 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8
Vendors & Products		Redhat Redhat enterprise Linux

Thu, 26 Jun 2025 02:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-706
References		https://www.mozilla.org/security/advisories/mfsa2025-53/#CVE-2025-6429

Wed, 25 Jun 2025 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-116
Metrics	cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}`

Wed, 25 Jun 2025 00:30:00 +0000

Type	Values Removed	Values Added
Title		firefox: Incorrect parsing of URLs could have allowed embedding of youtube.com
References		https://nvd.nist.gov/vuln/detail/CVE-2025-6429 https://www.cve.org/CVERecord?id=CVE-2025-6429
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` threat_severity `Moderate`

Tue, 24 Jun 2025 12:45:00 +0000

Type	Values Removed	Values Added
Description		Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1970658 https://www.mozilla.org/security/advisories/mfsa2025-51/ https://www.mozilla.org/security/advisories/mfsa2025-53/

Subscriptions

Mozilla Firefox Firefox Esr

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-06-24T12:28:00.819Z

Updated: 2026-04-13T14:30:42.931Z

Reserved: 2025-06-20T14:51:34.184Z

Link: CVE-2025-6429

Vulnrichment

Updated: 2025-11-03T20:07:03.248Z

NVD

Status : Modified

Published: 2025-06-24T13:15:23.877

Modified: 2026-04-13T15:17:07.070

Link: CVE-2025-6429

Redhat

Severity : Moderate

Publid Date: 2025-06-24T12:28:00Z

Links: CVE-2025-6429 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object