#VU111886 Information disclosure in Mozilla products - CVE-2025-6425

Cybersecurity Help s.r.o.

Published: 2025-06-24

Vulnerability identifier: #VU111886

Vulnerability risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-6425

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Firefox ESR
Client/Desktop applications / Web browsers
Mozilla Firefox
Client/Desktop applications / Web browsers
Firefox for Android
Mobile applications / Apps for mobile phones

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the WebCompat extension shipped with Firefox allows to enumerate resources and obtain a persistent UUID that identifies the browser, and persists between containers and normal/private browsing mode, but not profiles.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Firefox ESR: 102.0, 102.0.1, 102.1.0, 102.2.0, 102.3.0, 102.4.0, 102.5.0, 102.6.0, 102.7.0, 102.8.0, 102.9.0, 102.10.0, 102.11.0, 102.12.0, 102.13.0, 102.14.0, 102.15.0, 102.15.1, 115.0, 115.0.1, 115.0.2, 115.0.3, 115.1.0, 115.2.0, 115.2.1, 115.3.0, 115.3.1, 115.4.0, 115.5.0, 115.6.0, 115.7.0, 115.8.0, 115.9.0, 115.9.1, 115.10.0, 115.11.0, 115.12.0, 115.13.0, 115.14.0, 115.15.0, 115.16.0, 115.16.1, 115.17.0, 115.18.0, 115.19.0, 115.20.0, 115.21.0, 115.21.1, 115.22.0, 115.23.0, 115.23.1, 115.24.0, 128.0, 128.1.0, 128.2.0, 128.3.0, 128.3.1, 128.4.0, 128.5.0, 128.5.1, 128.5.2, 128.6.0, 128.7.0, 128.8.0, 128.8.1, 128.9.0, 128.10.0, 128.10.1, 128.11.0

Mozilla Firefox: 100.0 - 139.0.4

Firefox for Android: 100.1.0 - 139.0.3

External links
https://www.mozilla.org/en-US/security/advisories/mfsa2025-52/
https://bugzilla.mozilla.org/show_bug.cgi?id=1717672
https://www.mozilla.org/en-US/security/advisories/mfsa2025-53/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-51/