CVE-2025-6429

Incorrect parsing of URLs could have allowed embedding of youtube.com

CVSS 6.5 MEDIUMEPSS 0.3%CWE-116

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Productos afectados

Mozilla · Firefox Mozilla · Thunderbird

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://bugzilla.mozilla.org/show_bug.cgi?id=1970658 https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html https://www.mozilla.org/security/advisories/mfsa2025-51/https://www.mozilla.org/security/advisories/mfsa2025-53/https://www.mozilla.org/security/advisories/mfsa2025-54/https://www.mozilla.org/security/advisories/mfsa2025-55/