{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8031", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-07-22T10:13:55.392Z", "datePublished": "2025-07-22T20:49:26.243Z", "dateUpdated": "2026-04-13T14:26:57.626Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.13", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "140.1", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "141", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.13", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "140.1", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "141", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The <code>username:password</code> part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1."}]}], "title": "Incorrect URL stripping in CSP reports", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1971719"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-58/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-59/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-61/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-62/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-63/"}], "credits": [{"lang": "en", "value": "Tom Schuster"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:57.626Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-276", "lang": "en", "description": "CWE-276 Incorrect Default Permissions"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-07-23T13:56:53.422028Z", "id": "CVE-2025-8031", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T15:54:01.343Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:07:49.625Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:07:49.625Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-8031", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-23T13:56:53.422028Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T14:00:25.066Z"}}], "cna": {"title": "Incorrect URL stripping in CSP reports", "credits": [{"lang": "en", "value": "Tom Schuster"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "128.13", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "140.1", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "141", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.13", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "140.1", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "141", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1971719"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-58/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-59/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-61/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-62/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-63/"}], "descriptions": [{"lang": "en", "value": "The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.", "supportingMedia": [{"type": "text/html", "value": "The <code>username:password</code> part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:26:57.626Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8031", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:26:57.626Z", "dateReserved": "2025-07-22T10:13:55.392Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-07-22T20:49:26.243Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "7C22C9BA-7B86-487A-B0A4-419A0D163B56", "versionEndExcluding": "128.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "8684A46E-D70A-4830-8971-A6DCC360F422", "versionEndExcluding": "141.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "BB48C2EF-A6AC-4445-9417-1B65D5BC509B", "versionEndExcluding": "140.1.0", "versionStartIncluding": "140.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "B9BB9B0C-2B49-44EA-9BED-241A8CE8794E", "versionEndExcluding": "128.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "95D506DD-BD9B-4D90-802F-5BE673F1CF14", "versionEndExcluding": "141.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "8CE266C2-5AF1-4C57-9B7C-47039FF06384", "versionEndExcluding": "140.1.0", "versionStartIncluding": "140.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1."}, {"lang": "es", "value": "La parte `username:password` no se elimin\u00f3 correctamente de las URL en los informes de CSP, lo que podr\u00eda filtrar credenciales de autenticaci\u00f3n b\u00e1sica HTTP. Esta vulnerabilidad afecta a Firefox &lt; 141, Firefox ESR &lt; 128.13, Firefox ESR &lt; 140.1, Thunderbird &lt; 141, Thunderbird &lt; 128.13 y Thunderbird &lt; 140.1."}], "id": "CVE-2025-8031", "lastModified": "2026-04-13T15:17:09.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-07-22T21:15:50.257", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1971719"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-58/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-59/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-61/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-62/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-63/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:11797", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "firefox-0:128.13.0-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-07-28T00:00:00Z"}, {"advisory": "RHSA-2025:11747", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.13.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-07-24T00:00:00Z"}, {"advisory": "RHSA-2025:11748", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.13.0-1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-07-24T00:00:00Z"}], "bugzilla": {"description": "firefox: thunderbird: Incorrect URL stripping in CSP reports", "id": "2382704", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2382704"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-276", "details": ["The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.", "A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue:\nThe <code>username:password</code> part is incorrectly stripped from URLs in CSP reports, potentially leaking HTTP Basic Authentication credentials."], "name": "CVE-2025-8031", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/thunderbird-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-07-22T20:49:26Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8031\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8031\nhttps://www.mozilla.org/security/advisories/mfsa2025-58/#CVE-2025-8031\nhttps://www.mozilla.org/security/advisories/mfsa2025-62/#CVE-2025-8031"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"created": "2025-07-23T17:36:02.134616+00:00", "updated": "2025-07-23T17:36:02.134667+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr", "mozilla$PRODUCT$thunderbird"]}