CVE-2025-6433

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

History

03 Jul 2025, 16:04

Type Values Removed Values Added
References () https://bugzilla.mozilla.org/show_bug.cgi?id=1954033 - () https://bugzilla.mozilla.org/show_bug.cgi?id=1954033 - Permissions Required
References () https://www.mozilla.org/security/advisories/mfsa2025-51/ - () https://www.mozilla.org/security/advisories/mfsa2025-51/ - Vendor Advisory
CPE cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
First Time Mozilla
Mozilla firefox

25 Jun 2025, 13:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CWE CWE-295
Summary
  • (es) Si un usuario visitaba una página web con un certificado TLS no válido y concedía una excepción, la página web podía generar un desafío de WebAuthN que el usuario debía completar. Esto infringe la especificación de WebAuthN, que exige "un transporte seguro establecido sin errores". Esta vulnerabilidad afecta a Firefox anterior a la versión 140.

24 Jun 2025, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-06-24 13:15

Updated : 2025-07-03 16:04


NVD link : CVE-2025-6433

Mitre link : CVE-2025-6433

CVE.ORG link : CVE-2025-6433


JSON object : View

Products Affected

mozilla

  • firefox
CWE
CWE-295

Improper Certificate Validation