Login Sign Up

CVE-2025-6433

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows malicious websites with invalid TLS certificates to bypass WebAuthn security requirements and prompt users for authentication challenges. Attackers could trick users into authenticating with their security keys on compromised sites. Affects Firefox and Thunderbird users running versions before 140.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: Firefox < 140, Thunderbird < 140
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires user to bypass TLS certificate warnings and visit malicious websites.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal WebAuthn credentials and impersonate users on legitimate services, potentially gaining unauthorized access to sensitive accounts and systems.

🟠

Likely Case

Phishing campaigns could use this to harvest WebAuthn credentials from users who bypass TLS warnings, leading to account compromise.

🟢

If Mitigated

With proper TLS validation and user education about certificate warnings, exploitation requires user interaction and bypass of security warnings.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (bypassing TLS warnings) but is straightforward once user visits malicious site.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 140, Thunderbird 140

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-51/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 140 or higher. 4. Restart browser/email client.

🔧 Temporary Workarounds

Disable TLS certificate exception bypass

all

Configure browser to prevent users from bypassing TLS certificate warnings

about:config → security.certerror.hideAddException → true

Disable WebAuthn

all

Temporarily disable WebAuthn authentication

about:config → security.webauth.webauthn → false

🧯 If You Can't Patch

  • Educate users to never bypass TLS certificate warnings for untrusted websites
  • Implement network filtering to block access to known malicious domains

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird menu. If version is less than 140, system is vulnerable.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Verify version is 140 or higher in About Firefox/Thunderbird menu.

📡 Detection & Monitoring

Log Indicators:

  • WebAuthn authentication attempts from sites with invalid certificates
  • User bypass of TLS certificate warnings

Network Indicators:

  • TLS connections to domains with invalid certificates followed by WebAuthn traffic

SIEM Query:

source="browser_logs" AND (event="certificate_error_bypass" OR event="webauthn_challenge") AND dest_cert_valid="false"

📊 Metadata

CVE ID: CVE-2025-6433
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-295
EPSS Score: 0.04% exploit probability (12.7th percentile)
Published: June 24, 2025
Last Updated: July 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6433, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)