Skip to main content
CVE Vulnerability Database

CVE-2025-6430: Mozilla Firefox XSS Vulnerability

CVE-2025-6430 is a cross-site scripting flaw in Mozilla Firefox that occurs when Content-Disposition headers are ignored in embed or object tags. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-6430 Overview

CVE-2025-6430 is a cross-site scripting (XSS) flaw [CWE-79] affecting Mozilla Firefox, Firefox ESR, and Thunderbird. Firefox ignores the Content-Disposition: attachment directive when a resource is embedded via an <embed> or <object> HTML tag. Instead of forcing a file download, the browser renders the response inline in the embedding page's context. Attackers can abuse this behavior to execute script content on sites that host user-controlled files but rely on Content-Disposition to force downloads. Mozilla patched the issue in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Critical Impact

Web applications that serve user-uploaded content with Content-Disposition: attachment as their sole XSS mitigation remain exposed when victims visit an attacker-crafted page that loads that content through <embed> or <object>.

Affected Products

  • Mozilla Firefox versions prior to 140
  • Mozilla Firefox ESR versions prior to 128.12
  • Mozilla Thunderbird versions prior to 140 and prior to 128.12

Discovery Timeline

  • 2025-06-24 - CVE-2025-6430 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6430

Vulnerability Analysis

The Content-Disposition response header with an attachment directive instructs a browser to save a resource to disk rather than render it inline. Firefox honored this directive for top-level navigations and standard resource loads but failed to enforce it when a resource was loaded through <embed> or <object> elements. The browser instead processed the response using the declared MIME type, allowing HTML or SVG responses to execute inline scripts within the embedding document's origin chain.

The classification maps to CWE-79, cross-site scripting, because attacker-controlled markup executes in a security context the server intended to prevent. Requires user interaction to visit the attacker page.

Root Cause

The download-forcing logic in the Firefox networking and content-loading pipeline did not consult the Content-Disposition header when the requesting element was <embed> or <object>. These element types were treated as inline embed contexts, so the browser skipped the attachment enforcement path applied to top-level navigations and anchor downloads. Any endpoint returning HTML, SVG, or another scriptable content type could therefore render and execute despite the server's intent.

Attack Vector

An attacker hosts or controls a page under attacker.example. The page includes an element such as <object data="https://victim.example/user-upload.html"></object> pointing to attacker-uploaded content on the target site. When a victim visits the attacker page, Firefox fetches the victim-origin resource and renders it inline, ignoring the Content-Disposition: attachment header the victim application sent. Script inside the fetched resource runs and can interact with the embedding chain, enabling XSS-style abuse against sites that assumed the attachment directive was sufficient protection for user uploads.

No verified public proof-of-concept code is available. See the Mozilla Bug Report #1971140 for technical details.

Detection Methods for CVE-2025-6430

Indicators of Compromise

  • Outbound requests from Firefox clients to user-content endpoints where responses carry Content-Disposition: attachment but are fetched with an Sec-Fetch-Dest: embed or Sec-Fetch-Dest: object header.
  • Web server access logs showing repeated fetches of user-uploaded HTML, SVG, or XML files from third-party referrers.
  • Unexpected script execution or DOM activity originating from resources served with Content-Disposition: attachment.

Detection Strategies

  • Inventory browser versions across the estate and flag Firefox and Thunderbird builds below the patched versions listed in Mozilla Security Advisory MFSA-2025-51 and MFSA-2025-53.
  • Inspect web application logs for cross-origin Referer values on requests to file-download endpoints, particularly when combined with embed or object fetch destinations.
  • Correlate proxy telemetry with browser user-agent strings to identify vulnerable Firefox versions still in use.

Monitoring Recommendations

  • Alert on Firefox and Thunderbird instances that have not received the June 2025 security updates or the corresponding Debian LTS packages.
  • Monitor user-upload hosting domains for embedding attempts from unexpected external origins.
  • Track content-security-policy (CSP) violation reports on applications hosting user content to detect embedding attempts.

How to Mitigate CVE-2025-6430

Immediate Actions Required

  • Update Firefox to version 140 or later and Firefox ESR to 128.12 or later on all endpoints.
  • Update Thunderbird to version 140 or later, or 128.12 or later on the ESR branch.
  • Apply the Debian security updates referenced in the Debian LTS Announcement June 2025 and July 2025 on affected Linux systems.

Patch Information

Mozilla addressed the flaw in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12. Details are published in Mozilla Security Advisory MFSA-2025-51, MFSA-2025-53, MFSA-2025-54, and MFSA-2025-55.

Workarounds

  • Serve user-uploaded content from a separate, sandboxed origin so that inline execution cannot reach the primary application context.
  • Set a restrictive Content-Security-Policy on user-content endpoints, including sandbox and disallowing script-src.
  • Return non-scriptable MIME types such as application/octet-stream for user uploads, and reject requests where the Sec-Fetch-Dest header is embed or object for sensitive resources.
bash
# Example nginx configuration hardening a user-content location
location /uploads/ {
    add_header Content-Disposition "attachment" always;
    add_header Content-Security-Policy "default-src 'none'; sandbox;" always;
    add_header X-Content-Type-Options "nosniff" always;
    types { } default_type application/octet-stream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.