Description
If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability was fixed in Firefox 140 and Thunderbird 140.
Published: 2025-06-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in Firefox and Thunderbird’s Devtools lets a user save network responses using the Save As option without appending the .download extension. If the original resource was an executable, the file may be saved with a misleading extension and executed inadvertently. This weakness enables local execution of malicious code by exploiting the user’s interaction with the browser’s developer tools. The flaw is identified as CWE‑434, reflecting improper handling of untrusted content that can become executable.

Affected Systems

The vulnerability affects Mozilla Firefox and Thunderbird versions prior to 140. Users running Firefox 139 or earlier and Thunderbird 139 or earlier are susceptible when they use the Devtools network panel to save responses. Newer releases include a fix that forces the .download extension.

Risk and Exploitability

With a CVSS score of 8.1, the flaw is assessed as high severity, but the EPSS score of less than 1 % indicates a low likelihood of widespread exploitation. It is not listed in CISA’s KEV catalog. The attack requires a local user to open Devtools and save a response, making it a local, user‑initiated vector. Successful exploitation can lead to the execution of arbitrary code on the affected machine.

Generated by OpenCVE AI on April 20, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to Firefox 140 or later or Thunderbird 140 or later.
  • If an update cannot be applied immediately, avoid using the Devtools Save As feature for unknown or untrusted network responses, and verify file extensions before executing the file.
  • Run antivirus or endpoint protection to scan files saved via Devtools before any execution.

Generated by OpenCVE AI on April 20, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19016 If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140 and Thunderbird < 140.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140 and Thunderbird < 140. If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability was fixed in Firefox 140 and Thunderbird 140.

Thu, 13 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: Save as in Devtools could download files without sanitizing the extension Save as in Devtools could download files without sanitizing the extension

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00056}

 epss

{'score': 0.00061}

Mon, 14 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
Description If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140. If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140 and Thunderbird < 140.
References

Thu, 03 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Thu, 26 Jun 2025 00:30:00 +0000

Type Values Removed Values Added
Title firefox: Save as in Devtools could download files without sanitizing the extension
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 24 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Jun 2025 12:45:00 +0000

Type Values Removed Values Added
Description If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:13.241Z

Reserved: 2025-06-20T14:51:42.561Z

Link: CVE-2025-6435

cve-icon Vulnrichment

Updated: 2025-06-24T13:39:11.564Z

cve-icon NVD

Status : Modified

Published: 2025-06-24T13:15:24.560

Modified: 2026-04-13T15:17:08.143

Link: CVE-2025-6435

cve-icon Redhat

Severity : Low

Publid Date: 2025-06-24T12:28:04Z

Links: CVE-2025-6435 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses