Skip to main content
CVE Vulnerability Database

CVE-2025-6432: Mozilla Firefox DNS Bypass Vulnerability

CVE-2025-6432 is a DNS bypass flaw in Mozilla Firefox that allows DNS requests to bypass SOCKS proxies when Multi-Account Containers is enabled. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-6432 Overview

CVE-2025-6432 is an information exposure vulnerability affecting Mozilla Firefox when the Multi-Account Containers extension is enabled. The flaw allows DNS requests to bypass a configured SOCKS proxy under specific conditions, potentially exposing user browsing activity and compromising privacy protections that users rely on when routing traffic through proxy services.

When Multi-Account Containers was enabled, DNS requests could bypass a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This behavior could lead to DNS leak scenarios where a user's real IP address and browsing destinations become visible to network observers, despite the expectation of proxy-based anonymity.

Critical Impact

DNS requests can bypass SOCKS proxy configuration, potentially exposing user browsing activity and real IP addresses to network adversaries when privacy protections are expected to be active.

Affected Products

  • Mozilla Firefox versions prior to 140
  • Mozilla Thunderbird versions prior to 140

Discovery Timeline

  • 2025-06-24 - CVE-2025-6432 published to NVD
  • 2026-04-13 - Last updated in NVD database

Technical Details for CVE-2025-6432

Vulnerability Analysis

This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw resides in the network stack's handling of DNS resolution when the Multi-Account Containers feature is active in conjunction with SOCKS proxy configuration.

Under normal operation, when a user configures Firefox to route traffic through a SOCKS proxy, DNS queries should also be proxied to prevent DNS leakage. However, when Multi-Account Containers is enabled, certain edge cases in DNS resolution logic fail to enforce this proxy requirement. Specifically, when a domain name is considered invalid by the resolver or when the SOCKS proxy becomes unresponsive, the browser's fallback behavior allows DNS queries to be sent directly through the system's default DNS resolver instead of failing closed.

This creates a significant privacy concern for users who rely on SOCKS proxies for anonymity, such as those using Tor or VPN services with SOCKS endpoints. The exposure of DNS queries reveals which websites a user is attempting to visit, even if the actual HTTP traffic remains proxied.

Root Cause

The root cause of this vulnerability lies in the interaction between the Multi-Account Containers feature and Firefox's network proxy handling code. The containers feature introduces complexity in how network requests are contextualized and routed. When error conditions occur—specifically invalid domain names or proxy connection failures—the error handling path does not properly enforce the proxy-only DNS resolution policy, allowing a fallback to direct DNS queries.

This represents a fail-open design flaw where the system defaults to connectivity over security when encountering error conditions.

Attack Vector

The attack vector is network-based and requires no user interaction or privileges. An attacker positioned on the same network as the victim (such as a compromised router, malicious ISP, or public Wi-Fi hotspot operator) can observe DNS queries that leak from the browser.

The attack scenario involves:

  1. The victim configures Firefox to use a SOCKS proxy for privacy protection
  2. The victim enables Multi-Account Containers for browser compartmentalization
  3. The attacker causes the SOCKS proxy to become temporarily unresponsive, or the victim attempts to access an invalid domain
  4. DNS queries bypass the SOCKS proxy and are sent directly, allowing the attacker to observe them
  5. The attacker correlates DNS queries with the victim's IP address to profile browsing behavior

The vulnerability does not require the attacker to actively exploit the flaw—passive network monitoring is sufficient once the DNS leak condition is triggered.

Detection Methods for CVE-2025-6432

Indicators of Compromise

  • Unexpected DNS query traffic originating from Firefox processes that should be routing through a SOCKS proxy
  • Network logs showing DNS resolution occurring outside of configured proxy tunnels
  • DNS queries visible at the network gateway when all traffic should be proxied

Detection Strategies

  • Monitor for DNS traffic from endpoints configured to use SOCKS proxies exclusively
  • Implement network segmentation that alerts on direct DNS queries from systems expected to proxy all traffic
  • Deploy DNS leak detection tools that compare observed DNS traffic against expected proxy configurations

Monitoring Recommendations

  • Review Firefox version deployments across the organization to identify vulnerable instances
  • Implement network-level DNS monitoring to detect unauthorized direct DNS queries
  • Configure SIEM rules to alert on DNS traffic patterns inconsistent with proxy configurations

How to Mitigate CVE-2025-6432

Immediate Actions Required

  • Update Mozilla Firefox to version 140 or later immediately
  • Update Mozilla Thunderbird to version 140 or later if applicable
  • Audit network proxy configurations to ensure DNS leak protections are functioning correctly after updates

Patch Information

Mozilla has addressed this vulnerability in Firefox 140 and Thunderbird 140. Organizations should prioritize updating all Firefox installations to the patched version. The security fix ensures that DNS requests properly respect SOCKS proxy configurations even when error conditions occur.

For detailed patch information, refer to the Mozilla Security Advisory MFSA-2025-51 and Mozilla Security Advisory MFSA-2025-54. Technical details about the underlying issue can be found in Mozilla Bug Report #1943804.

Workarounds

  • Temporarily disable Multi-Account Containers extension if immediate patching is not possible
  • Configure firewall rules to block all DNS traffic (port 53 UDP/TCP) except through approved proxy endpoints
  • Use browser network isolation or containerization solutions to prevent direct network access from browser processes
  • Consider using VPN solutions with kill-switch functionality that blocks all traffic if the VPN connection fails
bash
# Example iptables rule to block direct DNS and force proxy usage
# This prevents DNS leaks by dropping all direct DNS traffic from the user
iptables -A OUTPUT -p udp --dport 53 -m owner --uid-owner $USER_ID -j DROP
iptables -A OUTPUT -p tcp --dport 53 -m owner --uid-owner $USER_ID -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.