CVE-2025-6429

medium

Description

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

References

https://www.mozilla.org/security/advisories/mfsa2025-55/

https://www.mozilla.org/security/advisories/mfsa2025-54/

https://www.mozilla.org/security/advisories/mfsa2025-53/

https://www.mozilla.org/security/advisories/mfsa2025-51/

https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html

https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html

https://bugzilla.mozilla.org/show_bug.cgi?id=1970658

Details

Source: Mitre, NVD

Published: 2025-06-24

Updated: 2026-04-13

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

Severity: High

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Severity: Medium

EPSS

EPSS: 0.00019