Description
The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140.
Published: 2025-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential downgrade of HTTPS to HTTP via clickjacking during exception prompt
Action: Patch
AI Analysis

Impact

The HTTPS-Only exception page in Firefox and Thunderbird lacked an anti-clickjacking delay, allowing an attacker to craft a page that tricks a user into granting a non-HTTPS exception. This could lead to the browser loading the site over HTTP, exposing the user to data interception, credential theft, or other downgrade attacks. The weakness corresponds to CWE-1021, a user interface manipulation flaw that requires user interaction to be exploited.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird versions prior to 140 were impacted. The vulnerability was fixed in Firefox 140 and Thunderbird 140, so any release before these versions is considered vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1 % shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely exploited yet. Exploitation requires a user to interact with a maliciously crafted page that presents the exception screen; once the user clicks to accept the exception, the browser will load the HTTP site, potentially enabling further attacks.

Generated by OpenCVE AI on April 20, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 140 or later.
  • Upgrade Thunderbird to version 140 or later.
  • Educate users to verify the authenticity of HTTPS‑Only exception prompts before accepting the exception.

Generated by OpenCVE AI on April 20, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21375 The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird < 140.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird < 140. The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability was fixed in Firefox 140 and Thunderbird 140.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: HTTPS-Only exception screen lacked anti-clickjacking delay HTTPS-Only exception screen lacked anti-clickjacking delay

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00032}

 epss

{'score': 0.0003}

Mon, 14 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
Description The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140. The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird < 140.
References

Thu, 03 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Thu, 26 Jun 2025 00:30:00 +0000

Type Values Removed Values Added
Title firefox: HTTPS-Only exception screen lacked anti-clickjacking delay
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 25 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1021
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Jun 2025 12:45:00 +0000

Type Values Removed Values Added
Description The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:11.320Z

Reserved: 2025-06-20T14:51:40.757Z

Link: CVE-2025-6434

cve-icon Vulnrichment

Updated: 2025-06-25T14:20:24.853Z

cve-icon NVD

Status : Modified

Published: 2025-06-24T13:15:24.447

Modified: 2026-04-13T15:17:07.977

Link: CVE-2025-6434

cve-icon Redhat

Severity : Low

Publid Date: 2025-06-24T12:28:04Z

Links: CVE-2025-6434 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses