ByteOS Network

NVD Vulnerability Details :

CVE-2025-6433

Modified

Source-security@mozilla.org

Published At-24 Jun, 2025 | 13:15

Updated At-13 Apr, 2026 | 15:17

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability was fixed in Firefox 140 and Thunderbird 140.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CPE Matches

Mozilla Corporation

>>firefox>>Versions before 140.0(exclusive)

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-295	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

CWE ID: CWE-295

Type: Secondary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1954033	security@mozilla.org	Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-51/	security@mozilla.org	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-54/	security@mozilla.org	N/A

Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1954033

Source: security@mozilla.org

Resource:

Permissions Required

Hyperlink: https://www.mozilla.org/security/advisories/mfsa2025-51/

Source: security@mozilla.org

Resource:

Vendor Advisory

Hyperlink: https://www.mozilla.org/security/advisories/mfsa2025-54/

Source: security@mozilla.org

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History