AI description
CVE-2025-6430 is a security vulnerability found in Mozilla Firefox browsers before version 140 and Firefox ESR (Extended Support Release) before version 128.12. It was discovered by Daniil Satyaev of Positive Technologies and publicly disclosed on June 24, 2025. The vulnerability arises when a file download is specified using the `Content-Disposition` header, but the directive is ignored if the file is included via HTML `<embed>` or `<object>` tags. This can expose websites to cross-site scripting (XSS) attacks, potentially allowing attackers to execute malicious scripts within the context of the vulnerable website, leading to unauthorized access or content manipulation. To mitigate this, users are advised to update their Firefox browsers to version 140 or ESR 128.12 or later.
- Description
- When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
- Source
- security@mozilla.org
- NVD status
- Modified
- Products
- firefox
CVSS 3.1
- Type
- Secondary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-79
- Hype score
- Not currently trending
Top 5 Trending CVEs: 1 - CVE-2025-32711 2 - CVE-2024-51978 3 - CVE-2025-6430 4 - CVE-2025-32433 5 - CVE-2020-9547 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
29 Jun 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🦊 Mozilla Foundation fixed CVE-2025-6430, discovered by our researcher Daniil Satyaev! This vulnerability allows the Content-Disposition: attachment header to be ignored if the page is opened using <embed> or <object>, resulting in files being displayed instead of
@ptswarm
27 Jun 2025
12815 Impressions
34 Retweets
173 Likes
54 Bookmarks
3 Replies
3 Quotes
CVE-2025-6430 Cross-Site Scripting Vulnerability in Firefox via Content-Disposition Header Bypass https://t.co/MR72co1TzE
@VulmonFeeds
24 Jun 2025
51 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-6430 When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `&lt;embed&gt;` or `&lt;object&gt… https://t.co/RAyhBY1jNi
@CVEnew
24 Jun 2025
404 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*",
"vulnerable": true,
"matchCriteriaId": "18420C6D-A5DF-41A4-8A81-F1BBFBA1BE2A",
"versionEndExcluding": "128.12.0"
},
{
"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*",
"vulnerable": true,
"matchCriteriaId": "77D2BF2A-26A3-4664-93B5-B41BCF17AC9E",
"versionEndExcluding": "140.0"
}
],
"operator": "OR"
}
]
}
]