DEBIAN-CVE-2025-8031

DEBIAN-CVE-2025-8031 PUBLISHED CVSS 9.800000190734863 CRITICAL

The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Risk Scores

CVSS 3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:12	thunderbird	1:115.7.0-1~deb11u1, 102.13.0-1, 102.13.1-1
Debian:13	thunderbird	0, 0
Debian:11	firefox-esr	78.15.0esr-1~deb10u1, 78.14.0esr-1~deb9u1, 78.14.0esr-1~deb11u1
Debian:12	firefox-esr	*, 0, 102.12.0esr-1
Debian:14	thunderbird	0, 0
Debian:14	firefox-esr	0, 0
Debian:13	firefox-esr	0, 0
Debian:11	thunderbird	102.13.1-1, 102.13.1-1, 102.13.1-1

Timeline

Jul 22, 2025 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2025-8031 advisory

Open in Interactive Console →