CVE-2025-6425
BaseFortify
Publication date: 2025-06-24
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | From 60.9.0 (exc) |
| mozilla | firefox | From 60.9.0 (exc) |
| mozilla | firefox | From 60.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the WebCompat extension in Firefox versions before 140 and Firefox ESR versions before 115.25 and 128.12. An attacker who enumerated resources from this extension could obtain a persistent UUID that uniquely identifies the browser. This UUID persists across container tabs and normal/private browsing modes but does not persist across different user profiles. This means the attacker could track the browser across different browsing contexts. [1]
How can this vulnerability impact me? :
The vulnerability could allow an attacker to track your browser persistently across different browsing contexts such as container tabs and private browsing modes. This tracking could compromise your privacy by linking your browsing activities even when using private or container modes, potentially exposing your browsing habits to unauthorized parties. [1]
What immediate steps should I take to mitigate this vulnerability?
Update Firefox to version 140 or later, or Firefox ESR to version 115.25 or later (for ESR 115) or 128.12 or later (for ESR 128), as these versions include the fix for the vulnerability in the WebCompat extension that exposed a persistent UUID. This will prevent attackers from enumerating resources to obtain the UUID and tracking the browser across container tabs and browsing modes. [1]