CVE-2025-6432 Overview
CVE-2025-6432 is an information exposure vulnerability affecting Mozilla Firefox when the Multi-Account Containers extension is enabled. The flaw allows DNS requests to bypass a configured SOCKS proxy under specific conditions, potentially exposing user browsing activity and compromising privacy protections that users rely on when routing traffic through proxy services.
When Multi-Account Containers was enabled, DNS requests could bypass a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This behavior could lead to DNS leak scenarios where a user's real IP address and browsing destinations become visible to network observers, despite the expectation of proxy-based anonymity.
Critical Impact
DNS requests can bypass SOCKS proxy configuration, potentially exposing user browsing activity and real IP addresses to network adversaries when privacy protections are expected to be active.
Affected Products
- Mozilla Firefox versions prior to 140
- Mozilla Thunderbird versions prior to 140
Discovery Timeline
- 2025-06-24 - CVE-2025-6432 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2025-6432
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw resides in the network stack's handling of DNS resolution when the Multi-Account Containers feature is active in conjunction with SOCKS proxy configuration.
Under normal operation, when a user configures Firefox to route traffic through a SOCKS proxy, DNS queries should also be proxied to prevent DNS leakage. However, when Multi-Account Containers is enabled, certain edge cases in DNS resolution logic fail to enforce this proxy requirement. Specifically, when a domain name is considered invalid by the resolver or when the SOCKS proxy becomes unresponsive, the browser's fallback behavior allows DNS queries to be sent directly through the system's default DNS resolver instead of failing closed.
This creates a significant privacy concern for users who rely on SOCKS proxies for anonymity, such as those using Tor or VPN services with SOCKS endpoints. The exposure of DNS queries reveals which websites a user is attempting to visit, even if the actual HTTP traffic remains proxied.
Root Cause
The root cause of this vulnerability lies in the interaction between the Multi-Account Containers feature and Firefox's network proxy handling code. The containers feature introduces complexity in how network requests are contextualized and routed. When error conditions occur—specifically invalid domain names or proxy connection failures—the error handling path does not properly enforce the proxy-only DNS resolution policy, allowing a fallback to direct DNS queries.
This represents a fail-open design flaw where the system defaults to connectivity over security when encountering error conditions.
Attack Vector
The attack vector is network-based and requires no user interaction or privileges. An attacker positioned on the same network as the victim (such as a compromised router, malicious ISP, or public Wi-Fi hotspot operator) can observe DNS queries that leak from the browser.
The attack scenario involves:
- The victim configures Firefox to use a SOCKS proxy for privacy protection
- The victim enables Multi-Account Containers for browser compartmentalization
- The attacker causes the SOCKS proxy to become temporarily unresponsive, or the victim attempts to access an invalid domain
- DNS queries bypass the SOCKS proxy and are sent directly, allowing the attacker to observe them
- The attacker correlates DNS queries with the victim's IP address to profile browsing behavior
The vulnerability does not require the attacker to actively exploit the flaw—passive network monitoring is sufficient once the DNS leak condition is triggered.
Detection Methods for CVE-2025-6432
Indicators of Compromise
- Unexpected DNS query traffic originating from Firefox processes that should be routing through a SOCKS proxy
- Network logs showing DNS resolution occurring outside of configured proxy tunnels
- DNS queries visible at the network gateway when all traffic should be proxied
Detection Strategies
- Monitor for DNS traffic from endpoints configured to use SOCKS proxies exclusively
- Implement network segmentation that alerts on direct DNS queries from systems expected to proxy all traffic
- Deploy DNS leak detection tools that compare observed DNS traffic against expected proxy configurations
Monitoring Recommendations
- Review Firefox version deployments across the organization to identify vulnerable instances
- Implement network-level DNS monitoring to detect unauthorized direct DNS queries
- Configure SIEM rules to alert on DNS traffic patterns inconsistent with proxy configurations
How to Mitigate CVE-2025-6432
Immediate Actions Required
- Update Mozilla Firefox to version 140 or later immediately
- Update Mozilla Thunderbird to version 140 or later if applicable
- Audit network proxy configurations to ensure DNS leak protections are functioning correctly after updates
Patch Information
Mozilla has addressed this vulnerability in Firefox 140 and Thunderbird 140. Organizations should prioritize updating all Firefox installations to the patched version. The security fix ensures that DNS requests properly respect SOCKS proxy configurations even when error conditions occur.
For detailed patch information, refer to the Mozilla Security Advisory MFSA-2025-51 and Mozilla Security Advisory MFSA-2025-54. Technical details about the underlying issue can be found in Mozilla Bug Report #1943804.
Workarounds
- Temporarily disable Multi-Account Containers extension if immediate patching is not possible
- Configure firewall rules to block all DNS traffic (port 53 UDP/TCP) except through approved proxy endpoints
- Use browser network isolation or containerization solutions to prevent direct network access from browser processes
- Consider using VPN solutions with kill-switch functionality that blocks all traffic if the VPN connection fails
# Example iptables rule to block direct DNS and force proxy usage
# This prevents DNS leaks by dropping all direct DNS traffic from the user
iptables -A OUTPUT -p udp --dport 53 -m owner --uid-owner $USER_ID -j DROP
iptables -A OUTPUT -p tcp --dport 53 -m owner --uid-owner $USER_ID -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
