EUVD-2025-19088
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140 and Thunderbird < 140.
Analysis
CVE-2025-6433 is a critical WebAuthn specification violation in Firefox and Thunderbird that allows attackers to present WebAuthn authentication challenges over non-secure TLS connections with user-granted exceptions. This bypasses the WebAuthn requirement for secure transport without errors, enabling credential theft and account compromise. Firefox < 140 and Thunderbird < 140 are affected; the network-based attack requires no privileges or user interaction beyond the initial certificate exception grant, resulting in a CVSS 9.8 critical rating.
Technical Context
WebAuthn (Web Authentication) is a W3C standard for cryptographic authentication that explicitly mandates 'secure transport established without errors' per the specification's security requirements. The vulnerability exists in how Firefox and Thunderbird handle the TLS certificate validation state when processing WebAuthn challenges. Specifically, when a user grants a security exception for an invalid/self-signed TLS certificate (CWE-295: Improper Certificate Validation), the browser's WebAuthn API should refuse to process authentication challenges, but instead permits them. This violates the secure context requirement that WebAuthn operations must occur only over HTTPS connections with valid certificates. The affected CPE identifiers are: mozilla:firefox (versions <140) and mozilla:thunderbird (versions <140). The root cause is improper certificate validation logic (CWE-295) that fails to distinguish between 'valid certificate' and 'user-granted exception to invalid certificate' when evaluating WebAuthn secure context requirements.
Affected Products
Firefox (< 140); Thunderbird (< 140)
Remediation
Immediate remediation: (1) Update Firefox to version 140 or later; (2) Update Thunderbird to version 140 or later. These versions contain patches that enforce proper WebAuthn secure context validation and reject WebAuthn challenges over TLS connections with invalid certificates (including user-granted exceptions). Short-term mitigations pending patching: (a) Avoid granting security exceptions for self-signed/invalid certificates on authentication-critical sites; (b) Users should review and revoke any suspicious security exceptions in browser settings; (c) System administrators should enforce certificate validation policies via GPO or equivalent mechanisms to prevent exception grants. Organizations should prioritize Firefox and Thunderbird patching in their vulnerability management programs given the critical CVSS score and the prevalence of these browsers in enterprise environments. No workarounds exist that preserve full WebAuthn functionality while mitigating the vulnerability.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | needs-triage | - |
| questing | not-affected | code not present |
| Release | Status | Version |
|---|---|---|
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | released | 140 |
| questing | not-affected | code not present |
| jammy | released | 1:140.7.1+build1-0ubuntu0.22.04.1 |
| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| bionic | ignored | - |
| focal | ignored | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| focal | ignored | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | - |
| noble | ignored | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | ignored | - |
| oracular | ignored | - |
| plucky | ignored | - |
| upstream | needs-triage | - |
| questing | DNE | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| sid | fixed | 148.0.2-1 | - |
| (unstable) | fixed | 140.0-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today