Login Sign Up

CVE-2025-6435

8.1 HIGH

📋 TL;DR

This vulnerability in Firefox and Thunderbird allows saved files from the Network tab in Devtools to lack the .download extension, potentially causing users to inadvertently execute malicious files. Attackers could exploit this by tricking users into saving and running disguised executables. This affects Firefox versions before 140 and Thunderbird versions before 140.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: Firefox < 140, Thunderbird < 140
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction: saving a file from Network tab in Devtools.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

User executes a malicious executable disguised as a benign file, leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

User accidentally runs a malicious file thinking it's a saved response, resulting in malware infection or credential theft.

🟢

If Mitigated

User notices the missing .download extension or has security software that blocks suspicious executables, preventing execution.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to trick users into saving and executing malicious files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 140, Thunderbird 140

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-51/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update to version 140 or higher. 4. Restart the application.

🔧 Temporary Workarounds

Disable Devtools Save As

all

Prevent users from saving files via Devtools Network tab.

Not applicable - requires policy/configuration management

User Education

all

Train users to verify file extensions before opening saved files.

🧯 If You Can't Patch

  • Disable Devtools access for users via enterprise policies.
  • Implement application whitelisting to block unauthorized executables.

🔍 How to Verify

Check if Vulnerable:

Check Firefox/Thunderbird version: if below 140, vulnerable.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is 140 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file saves from browser processes without .download extension
  • Execution of files saved from browser without proper extension

Network Indicators:

  • Downloads from suspicious sources saved without expected extensions

SIEM Query:

process_name:firefox.exe AND file_operation:save AND NOT file_extension:.download

📊 Metadata

CVE ID: CVE-2025-6435
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
EPSS Score: 0.08% exploit probability (23th percentile)
Published: June 24, 2025
Last Updated: November 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6435, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)