Mozilla Firefox — свободный браузер на движке Gecko
Релизный цикл, информация об уязвимостях
График релизов
Количество 15 501
CVE-2025-6427
An attacker was able to bypass the `connect-src` directive of a Conten ...
CVE-2025-6427
An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140 and Thunderbird < 140.
CVE-2025-6426
The executable file warning did not warn users before opening files wi ...
CVE-2025-6426
The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
CVE-2025-6425
An attacker who enumerated resources from the WebCompat extension coul ...
CVE-2025-6425
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
CVE-2025-6424
A use-after-free in FontFaceSet resulted in a potentially exploitable ...
CVE-2025-6424
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.
CVE-2025-6433
If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140 and Thunderbird < 140.
CVE-2025-6434
The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird < 140.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2025-6427 An attacker was able to bypass the `connect-src` directive of a Conten ... | CVSS3: 9.1 | 0% Низкий | 8 месяцев назад |
 | CVE-2025-6427 An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140 and Thunderbird < 140. | CVSS3: 9.1 | 0% Низкий | 8 месяцев назад |
| CVE-2025-6426 The executable file warning did not warn users before opening files wi ... | CVSS3: 8.8 | 0% Низкий | 8 месяцев назад |
| CVE-2025-6426 The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. | CVSS3: 8.8 | 0% Низкий | 8 месяцев назад |
| CVE-2025-6425 An attacker who enumerated resources from the WebCompat extension coul ... | CVSS3: 4.3 | 0% Низкий | 8 месяцев назад |
| CVE-2025-6425 An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. | CVSS3: 4.3 | 0% Низкий | 8 месяцев назад |
| CVE-2025-6424 A use-after-free in FontFaceSet resulted in a potentially exploitable ... | CVSS3: 9.8 | 0% Низкий | 8 месяцев назад |
| CVE-2025-6424 A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. | CVSS3: 9.8 | 0% Низкий | 8 месяцев назад |
 | CVE-2025-6433 If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140 and Thunderbird < 140. | CVSS3: 9.8 | 0% Низкий | 8 месяцев назад |
| CVE-2025-6434 The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140 and Thunderbird < 140. | CVSS3: 4.3 | 0% Низкий | 8 месяцев назад |
Уязвимостей на страницу