CVE-2025-6435 Overview
CVE-2025-6435 affects Mozilla Firefox and Thunderbird before version 140. The vulnerability resides in the DevTools Network tab Save As context menu functionality. When a user saved a response from the Network tab, the file may not have been saved with the expected .download file extension. This allowed potentially malicious server-supplied content to retain an executable extension on disk. A user could then inadvertently execute the saved file, leading to arbitrary code execution. The flaw is classified under [CWE-434] Unrestricted Upload of File with Dangerous Type. Mozilla addressed the issue in Firefox 140 and Thunderbird 140.
Critical Impact
A malicious web server can deliver content that, when saved via DevTools, retains an executable extension and runs arbitrary code if launched by the user.
Affected Products
- Mozilla Firefox versions prior to 140
- Mozilla Thunderbird versions prior to 140
- All operating systems where Firefox or Thunderbird DevTools are available
Discovery Timeline
- 2025-06-24 - CVE-2025-6435 published to the National Vulnerability Database (NVD)
- 2025-06-24 - Mozilla publishes advisories MFSA-2025-51 and MFSA-2025-54
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2025-6435
Vulnerability Analysis
The vulnerability resides in the Firefox and Thunderbird Developer Tools (DevTools) component. The Network tab allows developers to inspect HTTP responses received from web servers. Users can right-click a response and select Save As to write the response body to disk. The intended browser behavior appends a .download suffix to the saved file. This suffix neutralizes any executable extension supplied by the server. The vulnerability breaks this safety mechanism, allowing the file to be saved using the original server-supplied filename and extension.
Root Cause
The root cause is improper enforcement of the .download extension policy within the DevTools Network panel save handler. The save path bypassed the normalization logic that other browser download flows apply. A response served with a Content-Disposition filename ending in .exe, .bat, .dll, .scr, or similar executable extension would be written unchanged. This represents an Unrestricted Upload of File with Dangerous Type [CWE-434] manifesting on the download side.
Attack Vector
An attacker hosts a malicious file on a web server reachable by the target. The server responds with a filename containing an executable extension. The attacker convinces a developer or technical user to inspect the response in DevTools and use Save As to write it locally. Because the saved file retains its executable extension, double-clicking it triggers code execution under the user's account. Exploitation requires multiple user interaction steps, which is reflected in the high attack complexity. The technical details are documented in Mozilla Bug Report #1950056 and Mozilla Bug Report #1961777.
No verified proof-of-concept code is publicly available. The exploitation flow consists of crafting a server response with an executable filename and waiting for a developer to save the response via the Network tab Save As action.
Detection Methods for CVE-2025-6435
Indicators of Compromise
- Executable files (.exe, .bat, .cmd, .scr, .js, .vbs) created in user download or working directories with parent process firefox.exe or thunderbird.exe
- DevTools Save As activity correlated with subsequent process creation events spawning from saved files
- Network connections from Firefox or Thunderbird to untrusted hosts immediately preceding new executable file writes
Detection Strategies
- Monitor file creation events where the writing process is firefox.exe or thunderbird.exe and the file extension is associated with executable content
- Correlate browser-initiated file writes with child process creation events to identify cases where users launched the saved payload
- Alert on Firefox or Thunderbird versions below 140 reported through endpoint software inventory
Monitoring Recommendations
- Enforce endpoint software inventory checks to identify unpatched Firefox and Thunderbird installations
- Log and review process tree relationships between browser processes and any executables they write or spawn
- Track user-launched executables originating from browser download directories using endpoint telemetry
How to Mitigate CVE-2025-6435
Immediate Actions Required
- Update Firefox to version 140 or later and Thunderbird to version 140 or later across all managed endpoints
- Audit existing browser deployments using software inventory tooling and prioritize systems used by developers and IT staff
- Educate developers about safe handling of responses captured through DevTools, especially from untrusted origins
Patch Information
Mozilla fixed the issue in Firefox 140 and Thunderbird 140. Patch details are published in Mozilla Security Advisory MFSA-2025-51 and Mozilla Security Advisory MFSA-2025-54. Apply the vendor-supplied updates through your standard patch management process.
Workarounds
- Avoid using the DevTools Network tab Save As function on responses from untrusted servers until patches are deployed
- Save inspected responses to a sandboxed analysis environment rather than the host workstation
- Restrict execution of files downloaded from browsers using application control policies that block unsigned executables in user-writable paths
# Verify installed Firefox version on Linux endpoints
firefox --version
# Verify installed Thunderbird version on Linux endpoints
thunderbird --version
# Windows: query installed version via registry
reg query "HKLM\SOFTWARE\Mozilla\Mozilla Firefox" /v CurrentVersion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

