CVE-2025-6430

Published Jun 24, 2025

Last updated 3 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-6430 is a security vulnerability found in Mozilla Firefox browsers before version 140 and Firefox ESR (Extended Support Release) before version 128.12. It was discovered by Daniil Satyaev of Positive Technologies and publicly disclosed on June 24, 2025. The vulnerability arises when a file download is specified using the `Content-Disposition` header, but the directive is ignored if the file is included via HTML `<embed>` or `<object>` tags. This can expose websites to cross-site scripting (XSS) attacks, potentially allowing attackers to execute malicious scripts within the context of the vulnerable website, leading to unauthorized access or content manipulation. To mitigate this, users are advised to update their Firefox browsers to version 140 or ESR 128.12 or later.

Description: When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.
Source: security@mozilla.org
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 6.1
Impact score: 2.7
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity: MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-79

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 27

References