CVE-2025-6429

Incorrect parsing of URLs could have allowed embedding of youtube.com

CVSS 6.5 MEDIUMEPSS 0.3%CWE-116

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 6.5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

24 jun 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Produtos afetados

Mozilla · Firefox Mozilla · Thunderbird

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://bugzilla.mozilla.org/show_bug.cgi?id=1970658 https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html https://www.mozilla.org/security/advisories/mfsa2025-51/https://www.mozilla.org/security/advisories/mfsa2025-53/https://www.mozilla.org/security/advisories/mfsa2025-54/https://www.mozilla.org/security/advisories/mfsa2025-55/