CVE-2025-6435 Overview
CVE-2025-6435 affects Mozilla Firefox and Thunderbird versions prior to 140. The vulnerability resides in the Developer Tools (Devtools) Network tab. When a user saves a network response using the Save As context menu option, the resulting file may not receive the .download file extension. An attacker can leverage this behavior to trick users into saving and executing a malicious file. The flaw is categorized under [CWE-434] Unrestricted Upload of File with Dangerous Type. Mozilla addressed the issue in Firefox 140 and Thunderbird 140.
Critical Impact
Users saving network responses through Devtools may inadvertently execute attacker-controlled binaries because the safety extension .download is not appended.
Affected Products
- Mozilla Firefox versions prior to 140
- Mozilla Thunderbird versions prior to 140
- Devtools Network tab Save As functionality
Discovery Timeline
- 2025-06-24 - CVE-2025-6435 published to the National Vulnerability Database (NVD)
- 2026-04-13 - Last updated in the NVD database
Technical Details for CVE-2025-6435
Vulnerability Analysis
The vulnerability resides in the file save workflow within the Firefox and Thunderbird Devtools Network tab. Mozilla browsers normally append a .download extension to files saved through Devtools to prevent users from accidentally executing untrusted content. This safety mechanism failed for responses saved through the Save As context menu option. The saved file retained its original or attacker-influenced extension, including executable extensions on Windows and other operating systems. A user inspecting network traffic from a malicious site could save what appears to be benign content but receive an executable file on disk.
Root Cause
The root cause is missing enforcement of the .download extension on the Save As code path within Devtools. The download dialog inherited the filename and extension hints from the HTTP response or the user-supplied name without applying the protective suffix. This violates the Unrestricted Upload of File with Dangerous Type weakness pattern documented in [CWE-434].
Attack Vector
The attack requires user interaction and developer-tooling activity, which raises attack complexity. An attacker hosts content served with a chosen filename or content-disposition header. The victim opens Devtools, inspects the network response, and selects Save As from the context menu. The browser writes the file to disk without the .download suffix. If the file is an executable format and the user opens it, attacker-controlled code runs in the user context. The vulnerability is described in Mozilla Security Advisory MFSA-2025-51 and Mozilla Security Advisory MFSA-2025-54.
Detection Methods for CVE-2025-6435
Indicators of Compromise
- Executable files written to user download directories with origins from browser processes such as firefox.exe or thunderbird.exe
- Process execution chains where a Mozilla browser process spawns a child process from a recently downloaded binary
- Files saved without the .download extension immediately followed by user execution from a browser-managed directory
Detection Strategies
- Monitor endpoint telemetry for file write events from Firefox or Thunderbird that produce executable extensions such as .exe, .msi, .bat, .cmd, .scr, or .ps1
- Alert on Mozilla browser processes as parents of newly written executables that are later launched by the same user session
- Inventory installed Firefox and Thunderbird versions and flag any host running a version earlier than 140
Monitoring Recommendations
- Track browser version compliance through software inventory tooling and prioritize remediation for endpoints running Firefox or Thunderbird below version 140
- Log Devtools usage patterns where feasible and correlate with subsequent process executions from download paths
- Review Mozilla security advisories on a recurring cadence and map advisory identifiers to internal patching tickets
How to Mitigate CVE-2025-6435
Immediate Actions Required
- Upgrade Mozilla Firefox to version 140 or later on all managed endpoints
- Upgrade Mozilla Thunderbird to version 140 or later on all managed endpoints
- Validate that automatic update mechanisms are enabled and functioning across the fleet
Patch Information
Mozilla fixed the vulnerability in Firefox 140 and Thunderbird 140. Patch details and affected component information are documented in Mozilla Security Advisory MFSA-2025-51, Mozilla Security Advisory MFSA-2025-54, Bugzilla Issue #1950056, and Bugzilla Issue #1961777.
Workarounds
- Instruct users to avoid using the Save As option from the Devtools Network tab on untrusted sites until the patch is applied
- Configure application control policies to block execution of files downloaded by browser processes unless explicitly approved
- Restrict Devtools access on managed builds where developer functionality is not required
# Verify installed Firefox version on Linux endpoints
firefox --version
# Verify installed Thunderbird version on Linux endpoints
thunderbird --version
# Example Windows query for installed Firefox version
reg query "HKLM\SOFTWARE\Mozilla\Mozilla Firefox" /v CurrentVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
