CVE-2025-6433 Overview
A critical certificate validation bypass vulnerability has been identified in Mozilla Firefox and Thunderbird. When a user visits a webpage with an invalid TLS certificate and grants an exception, the webpage can improperly provide a WebAuthn challenge that the user would be prompted to complete. This behavior violates the WebAuthn specification, which explicitly requires "a secure transport established without errors" before WebAuthn operations can proceed.
This vulnerability (CWE-295: Improper Certificate Validation) allows malicious actors to potentially abuse WebAuthn authentication mechanisms through websites with untrusted TLS certificates, undermining the security guarantees that WebAuthn is designed to provide.
Critical Impact
Attackers can abuse WebAuthn authentication on sites with invalid TLS certificates, potentially leading to credential compromise, phishing attacks, or authentication bypass scenarios where users unknowingly authenticate to malicious origins.
Affected Products
- Mozilla Firefox versions prior to 140
- Mozilla Thunderbird versions prior to 140
Discovery Timeline
- 2025-06-24 - CVE-2025-6433 published to NVD
- 2025-07-14 - Last updated in NVD database
Technical Details for CVE-2025-6433
Vulnerability Analysis
This vulnerability represents a significant deviation from the WebAuthn specification's security requirements. The WebAuthn standard mandates that authenticator operations (such as credential creation and assertion) must only occur over secure, error-free connections. Firefox and Thunderbird failed to enforce this requirement when users manually granted certificate exceptions for invalid TLS certificates.
When a user encounters a website with an invalid or untrusted TLS certificate, browsers typically display a warning. If the user chooses to proceed by adding a certificate exception, they accept certain risks regarding data confidentiality and integrity. However, the WebAuthn specification explicitly prohibits WebAuthn operations in this scenario because the security model depends on verified origin identity.
The flaw allows a malicious webpage operating under a certificate exception to initiate WebAuthn ceremonies. Users may unknowingly register credentials or perform authentication assertions on what appears to be a legitimate site but is actually controlled by an attacker operating through an intercepted or spoofed connection.
Root Cause
The root cause of this vulnerability lies in improper certificate validation checks within the WebAuthn implementation. The browser's WebAuthn subsystem failed to verify whether the current connection was established with a valid, trusted TLS certificate before allowing WebAuthn API calls to proceed. Instead of checking the actual certificate validation status, the implementation only verified that an HTTPS connection existed, without accounting for user-granted certificate exceptions.
This oversight in the certificate validation logic (CWE-295) meant that the security checks were insufficient to meet the WebAuthn specification's requirements for a "secure transport established without errors."
Attack Vector
The attack vector for this vulnerability is network-based and requires user interaction. An attacker could exploit this vulnerability through the following scenario:
- The attacker establishes a man-in-the-middle position or creates a malicious website with an invalid TLS certificate (self-signed, expired, or with hostname mismatch)
- The victim visits the attacker's site and is presented with a certificate warning
- If the victim chooses to add a certificate exception and proceed, the attacker's page gains the ability to invoke WebAuthn APIs
- The attacker can then prompt the victim to complete WebAuthn challenges, potentially phishing credentials or registering attacker-controlled credentials
The vulnerability enables WebAuthn operations to proceed on connections where the origin cannot be cryptographically verified, violating the fundamental trust model of WebAuthn authentication. Technical details are available in the Mozilla Bug Report 1954033.
Detection Methods for CVE-2025-6433
Indicators of Compromise
- WebAuthn registration or authentication events from browser sessions where certificate exceptions were recently granted
- Unusual WebAuthn credential registrations associated with sites not using valid TLS certificates
- Browser logs indicating certificate exception grants followed by WebAuthn API invocations
- User reports of unexpected authentication prompts after bypassing certificate warnings
Detection Strategies
- Monitor browser telemetry for WebAuthn operations occurring on connections with certificate exceptions
- Implement network monitoring to detect TLS connections with invalid certificates being granted exceptions
- Review endpoint logs for Firefox or Thunderbird versions below 140 with active WebAuthn usage
- Deploy browser version detection policies to identify vulnerable installations across the enterprise
Monitoring Recommendations
- Enable enhanced logging for WebAuthn events in enterprise browser deployments
- Monitor for certificate exception events in browser security logs
- Implement alerts for WebAuthn credential registrations to unexpected or suspicious origins
- Track browser version compliance across the organization to identify vulnerable Firefox and Thunderbird installations
How to Mitigate CVE-2025-6433
Immediate Actions Required
- Update Mozilla Firefox to version 140 or later immediately
- Update Mozilla Thunderbird to version 140 or later immediately
- Review and remove unnecessary certificate exceptions from browser profiles
- Educate users on the risks of granting certificate exceptions, especially on sites requiring authentication
Patch Information
Mozilla has released security patches addressing this vulnerability in Firefox 140 and Thunderbird 140. The fix ensures that WebAuthn operations are properly blocked when the underlying TLS connection has certificate validation errors or exceptions.
For detailed patch information, refer to the Mozilla Security Advisory MFSA-2025-51 and Mozilla Security Advisory MFSA-2025-54.
Workarounds
- Implement enterprise policies to prevent users from granting certificate exceptions on untrusted sites
- Consider disabling WebAuthn functionality on endpoints where browser updates cannot be immediately applied
- Deploy network-level controls to block access to sites presenting invalid TLS certificates
- Use browser configuration policies to restrict WebAuthn to trusted origins only
# Firefox enterprise policy to restrict certificate exception overrides
# Add to policies.json in Firefox installation directory
{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true
},
"SecurityDevices": {
"Add": {}
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
