CVE-2025-5270 Overview
CVE-2025-5270 affects Mozilla Firefox and Thunderbird, where the Server Name Indication (SNI) field could be transmitted in cleartext even when encrypted DNS was enabled. The flaw undermines the privacy guarantees that users expect when configuring DNS over HTTPS (DoH) or similar encrypted resolution mechanisms. A network observer positioned between the client and a remote server can read SNI values and identify which hostnames a user visits. Mozilla addressed the issue in Firefox 139 and Thunderbird 139. The weakness is classified under CWE-319: Cleartext Transmission of Sensitive Information.
Critical Impact
Network-positioned attackers can monitor browsing destinations of Firefox and Thunderbird users who relied on encrypted DNS for hostname privacy.
Affected Products
- Mozilla Firefox versions prior to 139
- Mozilla Thunderbird versions prior to 139
- Configurations using encrypted DNS (DNS over HTTPS) for hostname privacy
Discovery Timeline
- 2025-05-27 - CVE-2025-5270 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2025-5270
Vulnerability Analysis
The vulnerability resides in how Firefox and Thunderbird handle the TLS handshake when encrypted DNS is enabled. Users enable DNS over HTTPS to prevent on-path observers from seeing requested hostnames. However, the TLS ClientHello message still carries the SNI extension, which contains the destination hostname in plaintext. Under certain conditions, the browser failed to suppress or protect this field even though the user opted into encrypted DNS for privacy. An adversary tapping traffic on the local network, ISP, or any upstream hop can read SNI and reconstruct a user's browsing activity. The issue is tracked in Mozilla Bug 1910298.
Root Cause
The root cause is inconsistent enforcement of privacy-preserving transport behavior. Encrypted DNS hides hostname lookups, but full hostname privacy also requires Encrypted Client Hello (ECH) to protect SNI during the TLS handshake. Firefox and Thunderbird code paths did not consistently pair encrypted DNS with ECH, leaving SNI exposed in cleartext in specific scenarios.
Attack Vector
Exploitation requires a passive network position between the client and the destination server. The attacker captures TLS ClientHello packets and extracts the server_name extension. No interaction with the user or the server is needed. The attack is silent, leaves no client-side trace, and works against any Firefox or Thunderbird build prior to 139 when the affected configuration is in use. See the Mozilla Security Advisory MFSA-2025-42 for details.
No public proof-of-concept code is required because reading SNI from captured TLS handshakes is a well-documented passive technique using standard packet capture tools.
Detection Methods for CVE-2025-5270
Indicators of Compromise
- Firefox or Thunderbird client versions earlier than 139 running in environments where encrypted DNS is configured
- TLS ClientHello packets from affected clients containing populated server_name extensions despite DoH being enabled
- Endpoint browser version inventory showing builds matching MFSA-2025-42
Detection Strategies
- Inventory Firefox and Thunderbird versions across managed endpoints and flag any host running a release prior to 139.
- Inspect outbound TLS traffic from clients with DoH policies applied and confirm whether SNI is encrypted via ECH or transmitted in cleartext.
- Correlate DNS telemetry with TLS metadata to identify configuration drift where encrypted DNS is enabled but SNI is exposed.
Monitoring Recommendations
- Track Mozilla security advisories and align patch windows with each Firefox and Thunderbird release.
- Log browser update status from endpoint management tooling and alert when versions fall behind the supported baseline.
- Review network egress logs for unexpected server_name values from endpoints that should be anonymized through ECH.
How to Mitigate CVE-2025-5270
Immediate Actions Required
- Upgrade Firefox to version 139 or later on all managed endpoints.
- Upgrade Thunderbird to version 139 or later on all managed mail clients.
- Enable Encrypted Client Hello (ECH) in about:config to protect SNI alongside encrypted DNS.
- Confirm DNS over HTTPS settings remain active after the browser upgrade.
Patch Information
Mozilla fixed the issue in Firefox 139 and Thunderbird 139. Administrators should deploy the patched releases through enterprise update channels or rely on Mozilla's built-in updater. Full remediation details are published in the Mozilla Security Advisory MFSA-2025-42 and MFSA-2025-45.
Workarounds
- Route browser traffic through a VPN or Tor to mask SNI from local network observers until patches are applied.
- Disable visits to sensitive destinations on unpatched Firefox or Thunderbird builds when on untrusted networks.
- Enforce browser update policies through enterprise management to prevent users from running outdated versions.
# Configuration example: enable Encrypted Client Hello in Firefox
# In about:config, set the following preferences:
network.dns.echconfig.enabled = true
network.dns.http3_echconfig.enabled = true
network.trr.mode = 2 # DNS over HTTPS enabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
