CVE-2025-8031: Mozilla Firefox Information Disclosure Bug

CVE-2025-8031 Overview

CVE-2025-8031 is an Information Leakage vulnerability affecting Mozilla Firefox and Thunderbird browsers. The vulnerability stems from improper handling of URLs in Content Security Policy (CSP) reports, where the username:password component was not correctly stripped from URLs before being included in CSP violation reports. This flaw could result in HTTP Basic Authentication credentials being inadvertently leaked to CSP report endpoints.

When a CSP violation occurs, browsers generate reports that include the blocked URL. In vulnerable versions, if a URL contained embedded HTTP Basic Authentication credentials (in the format https://username:password@example.com), these sensitive credentials would be transmitted to the configured CSP report-uri endpoint without proper sanitization.

Critical Impact

Sensitive HTTP Basic Authentication credentials embedded in URLs may be leaked to third-party CSP report collection endpoints, potentially enabling unauthorized access to protected resources.

Affected Products

• Mozilla Firefox < 141
• Mozilla Firefox ESR < 128.13
• Mozilla Firefox ESR < 140.1
• Mozilla Thunderbird < 141
• Mozilla Thunderbird ESR < 128.13
• Mozilla Thunderbird ESR < 140.1

Discovery Timeline

• July 22, 2025 - CVE-2025-8031 published to NVD
• November 3, 2025 - Last updated in NVD database

Technical Details for CVE-2025-8031

Vulnerability Analysis

The vulnerability exists in the URL sanitization logic within Mozilla's CSP implementation. When generating CSP violation reports, the browser must sanitize URLs to prevent sensitive information from being transmitted to potentially untrusted report collection endpoints. According to the CSP specification, user credentials embedded in URLs should be stripped before inclusion in reports to protect sensitive authentication data.

In vulnerable versions, the URL parsing and sanitization routine failed to properly identify and remove the username:password portion of URLs following the scheme delimiter (://). This means that when a web page triggers a CSP violation involving a URL with embedded credentials, those credentials would be included verbatim in the JSON payload sent to the CSP report-uri or report-to endpoint.

The vulnerability is classified under CWE-276 (Incorrect Default Permissions), though the primary security concern relates to information disclosure through improper data handling in security-critical browser functionality.

Root Cause

The root cause is an incomplete implementation of URL sanitization in the CSP reporting mechanism. The code responsible for preparing CSP violation reports failed to properly parse and redact authentication credentials from URLs before serializing them into report payloads. This oversight in the URL processing pipeline allowed sensitive credential data to bypass the intended security controls.

Attack Vector

The attack vector for this vulnerability is network-based and requires no privileges or user interaction. An attacker could exploit this vulnerability through the following scenarios:

Scenario 1: Malicious CSP Report Endpoint
An attacker controlling a website could configure their CSP policy to send reports to an attacker-controlled endpoint. If a user visits this site and the page attempts to load resources using URLs containing embedded credentials, those credentials would be leaked to the attacker's report collection server.

Scenario 2: Third-Party Report Collection
Organizations using third-party CSP monitoring services may inadvertently leak credentials if internal applications use URL-embedded authentication for legacy resources that trigger CSP violations.

Exploitation Mechanism:

The vulnerability can be exploited when a web application with CSP reporting enabled references resources using URLs containing embedded credentials. When these requests violate the CSP policy, the browser generates a report containing the unsanitized URL, transmitting credentials to the configured report endpoint.

For detailed technical information, refer to Mozilla Bug Report #1971719 and the associated security advisories.

Detection Methods for CVE-2025-8031

Indicators of Compromise

• Outbound network traffic containing CSP violation reports with URLs that include username:password@ patterns
• Unusual authentication failures on systems protected by HTTP Basic Authentication following CSP report transmission
• Log entries from CSP report endpoints showing credentials in blocked-uri or document-uri fields
• Network captures showing sensitive credential data in JSON payloads to report-uri destinations

Detection Strategies

• Monitor network traffic for CSP violation reports containing authentication credentials in URL patterns
• Implement content inspection on outbound traffic to CSP report endpoints looking for credential patterns
• Review CSP report logs for URLs containing the @ symbol preceded by potential username:password combinations
• Deploy browser version auditing to identify vulnerable Firefox and Thunderbird installations across the enterprise

Monitoring Recommendations

• Enable detailed logging on CSP report collection endpoints to identify potential credential leakage
• Configure SIEM rules to alert on CSP reports containing URL patterns matching ://[^@]+:[^@]+@
• Audit all CSP policies in use across web applications to inventory configured report-uri endpoints
• Monitor for unauthorized access attempts using credentials that may have been leaked through CSP reports

How to Mitigate CVE-2025-8031

Immediate Actions Required

• Update Mozilla Firefox to version 141 or later, or Firefox ESR to version 128.13 or 140.1
• Update Mozilla Thunderbird to version 141 or later, or Thunderbird ESR to version 128.13 or 140.1
• Audit and rotate any HTTP Basic Authentication credentials that may have been embedded in URLs and exposed through CSP reports
• Review CSP report logs to identify any credentials that may have already been leaked

Patch Information

Mozilla has released security patches addressing this vulnerability across multiple product lines. Organizations should apply the following updates:

• Firefox: Update to version 141 or later
• Firefox ESR: Update to version 128.13 or 140.1 or later
• Thunderbird: Update to version 141 or later
• Thunderbird ESR: Update to version 128.13 or 140.1 or later

For complete patch details, refer to the official Mozilla Security Advisories:

• MFSA 2025-56
• MFSA 2025-58
• MFSA 2025-59
• MFSA 2025-61
• MFSA 2025-62
• MFSA 2025-63

Debian users should refer to the Debian LTS Announcement for distribution-specific updates.

Workarounds

• Avoid using URLs with embedded credentials (username:password@) in web applications until browsers are patched
• Temporarily disable CSP reporting by removing report-uri and report-to directives from CSP policies if credential leakage is a concern
• Migrate from HTTP Basic Authentication to more secure authentication mechanisms that don't embed credentials in URLs
• Implement network-level filtering to redact credentials from outbound CSP report traffic as an interim measure

# Verify Firefox version to ensure patched version is installed
firefox --version
# Expected: Mozilla Firefox 141.0 or later

# Verify Thunderbird version
thunderbird --version
# Expected: Mozilla Thunderbird 141.0 or later

# For enterprise environments, use policy templates to enforce minimum versions
# Example: Check browser version in enterprise management systems