How to fix EUVD-2025-19016?

Within 24 hours: Issue security alert to all users advising against saving files from Devtools Network tab and to verify file extensions before execution. Within 7 days: Distribute Firefox and Thunderbird version 140 or later through your patch management system and enforce installation via group policy where possible. Within 30 days: Verify 100% compliance of Firefox/Thunderbird upgrades and conduct endpoint scanning for any suspicious executable files saved by users.

Is Firefox affected by EUVD-2025-19016?

CVE-2025-6435 affects Firefox and Thunderbird users who may inadvertently execute malicious files downloaded via the browser's developer tools. This vulnerability could enable malware delivery to employees using affected browser versions, potentially compromising endpoints and sensitive data.

EUVD-2025-19016

| CVE-2025-6435 HIGH

2025-06-24 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 15, 2026 - 22:36 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 22:36 euvd

EUVD-2025-19016

CVE Published

Jun 24, 2025 - 13:15 nvd

HIGH 8.1

Description

If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140 and Thunderbird < 140.

Analysis

CVE-2025-6435 is a file handling vulnerability in Firefox and Thunderbird's Developer Tools where saved network responses may lack the .download file extension, potentially allowing attackers to trick users into executing malicious executables. This affects Firefox versions below 140 and Thunderbird versions below 140. The vulnerability requires user interaction (saving and executing a file) but carries high severity (CVSS 8.1) due to potential for arbitrary code execution.

Technical Context

The vulnerability exists in the Network tab of Firefox/Thunderbird Developer Tools (DevTools), specifically in the 'Save As' context menu functionality. When a user right-clicks on a network response and selects 'Save As', the file handling mechanism fails to properly append or enforce the `.download` file extension. This relates to CWE-434 (Unrestricted Upload of File with Dangerous Type), which encompasses improper validation of file types and extensions during file operations. The root cause is insufficient file extension validation in the save dialog handler. The affected CPE would be cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* (versions <140) and cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* (versions <140). The issue affects the DevTools frontend code responsible for exporting/saving HTTP responses.

Affected Products

Mozilla Firefox (< 140); Mozilla Thunderbird (< 140)

Remediation

Patch/Update: Upgrade Firefox to version 140 or later (Mozilla) Patch/Update: Upgrade Thunderbird to version 140 or later (Mozilla) Workaround: Until patched, avoid using 'Save As' on network responses in DevTools for potentially untrusted network traffic. Manually verify file extensions before execution. (User) Mitigation: Implement application whitelisting and file execution policies to prevent execution of files saved from untrusted sources without proper validation. (Organizational) Mitigation: Configure browser to treat downloaded/saved files as requiring explicit confirmation before execution. (OS/browser)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +40

POC: 0

Vendor Status

Ubuntu

Priority: Medium

firefox

Release	Status	Version
jammy	not-affected	code not present
noble	not-affected	code not present
oracular	not-affected	code not present
plucky	not-affected	code not present
upstream	needs-triage	-
questing	not-affected	code not present

thunderbird

Release	Status	Version
noble	not-affected	code not present
oracular	not-affected	code not present
plucky	not-affected	code not present
upstream	released	140
jammy	released	1:140.7.1+build1-0ubuntu0.22.04.1
questing	not-affected	code not present

mozjs38

Release	Status	Version
bionic	needs-triage	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs52

Release	Status	Version
bionic	ignored	-
focal	ignored	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs68

Release	Status	Version
focal	ignored	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs78

Release	Status	Version
jammy	ignored	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs91

Release	Status	Version
jammy	ignored	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs102

Release	Status	Version
jammy	ignored	-
noble	ignored	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-
questing	DNE	-

mozjs115

Release	Status	Version
jammy	DNE	-
noble	ignored	-
oracular	ignored	-
plucky	ignored	-
upstream	needs-triage	-
questing	DNE	-

USN-7991-1

Debian

firefox

Release	Status	Fixed Version	Urgency
sid	fixed	148.0.2-1	-
(unstable)	fixed	140.0-1	-

EUVD-2025-19016 vulnerability details – vuln.today

Back

EUVD-2025-19016

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-19016

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code