Description
If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability was fixed in Firefox 140 and Thunderbird 140.
Published: 2025-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Signing of WebAuthn Challenges via Invalid TLS
Action: Immediate Patch
AI Analysis

Impact

The vulnerability permits a webpage served over an invalid TLS connection to provide a WebAuthn challenge that the user can sign, which contravenes the WebAuthn specification that mandates a securely established transport. An attacker could therefore coerce a user into signing arbitrary data or authentication assertions, potentially enabling credential theft or unauthorized access. This isolation of a secure channel is a significant break in the web authentication model.

Affected Systems

This flaw affects Mozilla Firefox and Mozilla Thunderbird versions prior to 140. Upgrades to Firefox 140+ or Thunderbird 140+ contain the fix. These products are the sole vendors identified, as listed in the CVE data.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is high severity, but its EPSS score of less than 1% indicates a low probability of exploitation at present, and it is not listed in CISA KEV. The expected attack vector requires a user to accept an invalid certificate and then interact with a webpage that presents a WebAuthn challenge; an attacker performing a phishing campaign could exploit this, though significant user interaction is required. Protective measures are recommended to reduce risk until the patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 140 or later.
  • Update Mozilla Thunderbird to version 140 or later.
  • Configure the browsers to refuse connections with invalid TLS certificates and avoid accepting exceptions on unexpected sites.

Generated by OpenCVE AI on April 20, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19088 If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140 and Thunderbird < 140.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140 and Thunderbird < 140. If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability was fixed in Firefox 140 and Thunderbird 140.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00033}

 epss

{'score': 0.00031}

Mon, 14 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
Description If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140. If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140 and Thunderbird < 140.
References

Thu, 03 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Thu, 26 Jun 2025 00:30:00 +0000

Type Values Removed Values Added
Title firefox: WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 25 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-295
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Jun 2025 12:45:00 +0000

Type Values Removed Values Added
Description If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:09.599Z

Reserved: 2025-06-20T14:51:39.059Z

Link: CVE-2025-6433

cve-icon Vulnrichment

Updated: 2025-06-25T12:32:33.301Z

cve-icon NVD

Status : Modified

Published: 2025-06-24T13:15:24.327

Modified: 2026-04-13T15:17:07.807

Link: CVE-2025-6433

cve-icon Redhat

Severity : Low

Publid Date: 2025-06-24T12:28:04Z

Links: CVE-2025-6433 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses