How to fix CVE-2025-6429?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Ubuntu affected by CVE-2025-6429?

CVE-2025-6429 presents notable security risk rated CVSS 6.5. Exploitation could compromise the security of affected deployments. Organizations should apply vendor updates when available and monitor for exploitation.

CVE-2025-6429

EUVD-2025-21378 MEDIUM

2025-06-24 [email protected]

6.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 15, 2026 - 22:36 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 22:36 euvd

EUVD-2025-21378

CVE Published

Jun 24, 2025 - 13:15 nvd

MEDIUM 6.5

Description

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Analysis

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

Technical Context

This vulnerability is classified as Improper Encoding or Escaping of Output (CWE-116).

Affected Products

Affected products: Mozilla Firefox

Remediation

Monitor vendor advisories for patches. Apply mitigations such as network segmentation, access restrictions, and monitoring.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +32

POC: 0

Vendor Status

Ubuntu

Priority: Medium

mozjs52

Release	Status	Version
focal	ignored	-
jammy	DNE	-
noble	DNE	-
bionic	ignored	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

firefox

Release	Status	Version
jammy	not-affected	code not present
noble	not-affected	code not present
oracular	not-affected	code not present
plucky	not-affected	code not present
upstream	needs-triage	-
questing	not-affected	code not present

thunderbird

Release	Status	Version
noble	not-affected	code not present
oracular	not-affected	code not present
plucky	not-affected	code not present
jammy	released	1:128.12.0+build1-0ubuntu0.22.04.1
upstream	released	128.12
questing	not-affected	code not present

mozjs38

Release	Status	Version
bionic	needs-triage	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs68

Release	Status	Version
focal	ignored	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs78

Release	Status	Version
jammy	ignored	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs91

Release	Status	Version
jammy	ignored	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs102

Release	Status	Version
jammy	ignored	-
noble	ignored	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs115

Release	Status	Version
jammy	DNE	-
noble	ignored	-
oracular	ignored	-
plucky	ignored	-
upstream	needs-triage	-
questing	DNE	-

USN-7663-1

Debian

firefox

Release	Status	Fixed Version	Urgency
sid	fixed	148.0.2-1	-
(unstable)	fixed	140.0-1	-

firefox-esr

Release	Status	Fixed Version	Urgency
bullseye	fixed	128.12.0esr-1~deb11u1	-
bullseye (security)	fixed	140.8.0esr-1~deb11u1	-
bookworm	fixed	128.12.0esr-1~deb12u1	-
bookworm (security)	fixed	140.8.0esr-1~deb12u1	-
trixie (security), trixie	fixed	140.8.0esr-1~deb13u1	-
forky, sid	fixed	140.8.0esr-1	-
(unstable)	fixed	128.12.0esr-1	-

thunderbird

Release	Status	Fixed Version	Urgency
bullseye	fixed	1:128.12.0esr-1~deb11u1	-
bullseye (security)	fixed	1:140.8.0esr-1~deb11u1	-
bookworm	fixed	1:128.12.0esr-1~deb12u1	-
bookworm (security)	fixed	1:140.8.0esr-1~deb12u1	-
trixie (security), trixie	fixed	1:140.8.0esr-1~deb13u1	-
forky, sid	fixed	1:140.8.0esr-1	-
(unstable)	fixed	1:128.12.0esr-1	-

DLA-4231-1 DLA-4239-1 DSA-5950-1 DSA-5959-1

CVE-2025-6429 vulnerability details – vuln.today

Back

CVE-2025-6429

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-6429

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code