Description
The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
Published: 2025-07-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach through leaked credentials
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper removal of username and password information from URLs in Content Security Policy (CSP) violation reports, allowing attackers to capture HTTP Basic Authentication credentials. This flaw can compromise user confidentiality by exposing account credentials to malicious actors, increasing the risk of account takeover or broader system compromise. The weakness is categorized as CWE‑276, indicating incorrect assignment or handling of sensitive information.

Affected Systems

Mozilla browsers, specifically Firefox versions prior to 141, Firefox ESR 128.13 and 140.1, and Thunderbird versions prior to 141, Thunderbird ESR 128.13 and 140.1, are impacted. Any system running these browser builds, including installations on Red Hat Enterprise Linux 8, 9, or 10 environments, may be vulnerable.

Risk and Exploitability

The CVSS score of 9.8 classifies this as a critical vulnerability, yet the EPSS score of less than 1% points to a low current likelihood of exploitation. It is not listed in CISA’s KEV catalog. The likely attack scenario involves a remote attacker serving a malicious web page that triggers a CSP violation, causing the browser to generate a report that inadvertently exposes credentials. Once exposed, the attacker could obtain and use the victim's authentication tokens to access protected resources.

Generated by OpenCVE AI on April 20, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 141 or newer, including ESR 128.13 or 140.1 releases
  • Upgrade to Thunderbird 141 or newer, including ESR 128.13 or 140.1 releases
  • If immediate upgrade is not possible, temporarily disable CSP violation reporting in the browser settings or block the reporting endpoint through network controls

Generated by OpenCVE AI on April 20, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4250-1 firefox-esr security update
Debian DLA Debian DLA DLA-4253-1 thunderbird security update
Debian DSA Debian DSA DSA-5964-1 firefox-esr security update
Debian DSA Debian DSA DSA-5966-1 thunderbird security update
EUVD EUVD EUVD-2025-22366 The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Incorrect URL stripping in CSP reports Incorrect URL stripping in CSP reports

Fri, 15 Aug 2025 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Tue, 29 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Incorrect URL stripping in CSP reports
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 23 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-276
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 21:00:00 +0000

Type Values Removed Values Added
Description The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:57.626Z

Reserved: 2025-07-22T10:13:55.392Z

Link: CVE-2025-8031

cve-icon Vulnrichment

Updated: 2025-11-03T20:07:49.625Z

cve-icon NVD

Status : Modified

Published: 2025-07-22T21:15:50.257

Modified: 2026-04-13T15:17:09.433

Link: CVE-2025-8031

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-22T20:49:26Z

Links: CVE-2025-8031 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:15:13Z

Weaknesses