Login Sign Up

CVE-2025-6432

8.6 HIGH

📋 TL;DR

This vulnerability allows DNS requests to bypass SOCKS proxy configurations when Multi-Account Containers is enabled and either the domain name is invalid or the SOCKS proxy is unresponsive. This affects Firefox versions below 140 and Thunderbird versions below 140, potentially exposing users' DNS queries to unintended networks.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: Firefox < 140, Thunderbird < 140
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ✅ No
Notes: Requires Multi-Account Containers feature to be enabled and configured to use SOCKS proxy.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

DNS queries leak to the internet, revealing internal hostnames, visited domains, and potentially sensitive metadata to attackers who can intercept network traffic.

🟠

Likely Case

DNS requests bypass organizational proxy controls, potentially exposing browsing patterns and internal network information when users encounter invalid domains or proxy issues.

🟢

If Mitigated

Limited exposure with minimal sensitive data leakage if proper network segmentation and monitoring are in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (browsing) and specific proxy configuration conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 140, Thunderbird 140

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-51/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update to version 140 or higher. 4. Restart the application.

🔧 Temporary Workarounds

Disable Multi-Account Containers

all

Temporarily disable the Multi-Account Containers feature to prevent the bypass.

about:config
Set 'privacy.userContext.enabled' to false

Use alternative proxy configuration

all

Configure proxy settings at system level instead of within Firefox/Thunderbird.

🧯 If You Can't Patch

  • Implement network monitoring for DNS queries bypassing proxy
  • Restrict use of Multi-Account Containers feature in vulnerable versions

🔍 How to Verify

Check if Vulnerable:

Check Firefox/Thunderbird version in Help > About. If version is below 140 and Multi-Account Containers is enabled with SOCKS proxy, system is vulnerable.

Check Version:

firefox --version (Linux) or check About dialog

Verify Fix Applied:

Confirm version is 140 or higher in Help > About and test DNS resolution through proxy.

📡 Detection & Monitoring

Log Indicators:

  • DNS queries from Firefox/Thunderbird bypassing proxy logs
  • Failed proxy connection attempts followed by direct DNS resolution

Network Indicators:

  • DNS traffic from Firefox/Thunderbird clients not routed through expected SOCKS proxy
  • Unexpected DNS queries to public resolvers

SIEM Query:

source="firefox" OR source="thunderbird" AND (event="dns_query" AND NOT proxy_ip="expected_proxy")

📊 Metadata

CVE ID: CVE-2025-6432
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CWE: CWE-200
EPSS Score: 0.06% exploit probability (19.8th percentile)
Published: June 24, 2025
Last Updated: July 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6432, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)