CVE-2025-8031

CRITICAL
2025-07-22 [email protected]
Mozilla Privilege Escalation Thunderbird Redhat Suse
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:40 vuln.today

DescriptionNVD

The username:password part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

AnalysisAI

HTTP Basic Authentication credentials leak in Mozilla Firefox and Thunderbird via Content Security Policy (CSP) violation reports affects all versions prior to Firefox 141, Firefox ESR 128.13/140.1, and Thunderbird 141/128.13/140.1. When CSP violations occur on pages using HTTP Basic Auth, the browser incorrectly includes username:password in the violation report URL sent to the CSP report endpoint, exposing credentials to potentially untrusted third parties. With CVSS 9.8 and network-based unauthenticated attack vector (AV:N/AC:L/PR:N), this represents a critical credential disclosure vulnerability, though no public exploit or active exploitation (non-KEV) is confirmed at time of analysis.

Technical ContextAI

Content Security Policy (CSP) is a browser security mechanism that reports policy violations to designated endpoints for monitoring. The vulnerability stems from improper credential stripping (CWE-276: Incorrect Default Permissions) in Mozilla's CSP reporting implementation. When a web page loaded via HTTP Basic Authentication (credentials embedded in URL as https://username:[email protected]) triggers a CSP violation, the browser generates a violation report containing the full URL. Mozilla Firefox and Thunderbird failed to sanitize the userinfo component (username:password@) before transmitting these reports to CSP report-uri endpoints. Affected products per CPE data include Mozilla Firefox regular releases (pre-141), Firefox ESR branches 128.x (pre-128.13) and 140.x (pre-140.1), and corresponding Thunderbird versions across regular and ESR channels. The root cause involves insufficient URL normalization in the CSP reporting codepath, allowing RFC 3986 userinfo credentials to leak through automated security reports.

RemediationAI

Immediately upgrade to patched versions: Firefox 141 or later for regular release users, Firefox ESR 128.13 or Firefox ESR 140.1 for extended support deployments, Thunderbird 141 for regular channel, or Thunderbird ESR 128.13/140.1 for enterprise ESR deployments. Patches available through Mozilla's official download channels at mozilla.org/firefox and mozilla.org/thunderbird, with automatic updates enabled by default in most installations. Enterprise administrators should prioritize ESR channel updates via standard software distribution mechanisms. As a defense-in-depth measure independent of patching, organizations should audit and eliminate HTTP Basic Authentication credentials embedded in URLs (deprecated per RFC 3986 security considerations), transition to modern authentication methods like OAuth 2.0 or session-based auth, and review CSP report-uri endpoints to ensure they are under organizational control rather than third-party services. Detailed remediation guidance available in Mozilla Security Advisories MFSA2025-56, MFSA2025-58, MFSA2025-59, MFSA2025-61, MFSA2025-62, and MFSA2025-63.

Vendor StatusVendor

Share

CVE-2025-8031 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy