cvedb.io
CVE-2025-6429
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2025-06-24T13:15:23.877 · Last modified 2026-06-17T10:01:52.393

Summary

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Affected products

mozilla — firefox

Does this affect you?

Add your gear to cvedb and we'll alert you only when mozilla ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.