DEBIAN-CVE-2025-6429

DEBIAN-CVE-2025-6429 PUBLISHED CVSS 6.5 MEDIUM

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected Products

Vendor	Product	Versions
Debian:12	thunderbird	125.0, 127.0, 128.0
Debian:13	firefox-esr	0, 0
Debian:14	thunderbird	0, 0
Debian:11	thunderbird	102.4.0-1, 102.4.1-1, 102.5.0-1
Debian:12	firefox-esr	, , *
Debian:13	thunderbird	0, 0
Debian:14	firefox-esr	0, 0
Debian:11	firefox-esr	102.9.0, 102.9.0, 102.9.0

Timeline

Jun 24, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-6429 advisory

Open in Interactive Console →