CVE-2025-6425 in Firefox
Summary
by MITRE • 06/24/2025
An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/30/2025
This vulnerability in the WebCompat extension represents a significant privacy and tracking risk within the firefox browser ecosystem. The flaw allows attackers to enumerate resources and extract a persistent unique identifier that uniquely identifies the browser instance, creating a sophisticated tracking mechanism that persists across different browsing contexts. The vulnerability specifically impacts firefox versions prior to 140, with extended support releases affected through 115.25 and 128.12 respectively, indicating a prolonged window of exposure for users.
The technical implementation of this vulnerability stems from how the WebCompat extension generates and manages identifiers within the browser environment. The persistent UUID created by this flaw maintains its identification capability across containerized browsing sessions, normal browsing modes, and private browsing contexts, effectively creating a cross-context tracking vector. However, the identifier does not persist between different user profiles, which provides some limited mitigation but does not eliminate the tracking risk entirely. This particular characteristic aligns with common web tracking patterns where identifiers maintain persistence within a single profile but can be segmented across user accounts.
The operational impact of this vulnerability extends beyond simple tracking capabilities and represents a serious threat to user privacy and anonymity. The persistent nature of the UUID across different browsing contexts enables sophisticated tracking mechanisms that can monitor user behavior patterns, preferences, and online activities without traditional privacy protections. This tracking capability becomes particularly concerning when combined with other browser fingerprinting techniques, creating a comprehensive user identification system that can persist even when users attempt to maintain privacy through different browsing modes or containers. The vulnerability essentially undermines the fundamental privacy protections that users expect from modern browsers, particularly in scenarios where multiple browsing contexts are utilized.
Organizations and individual users affected by this vulnerability should immediately upgrade to the patched versions of firefox to eliminate the risk of persistent tracking. The mitigation strategy should include comprehensive browser updates across all affected versions, with particular attention to extended support releases that may have delayed patch deployment. Security teams should implement monitoring for any suspicious resource enumeration activities that might indicate exploitation attempts, while also reviewing existing tracking mechanisms within browser extensions to ensure they do not inadvertently create similar vulnerabilities. This vulnerability demonstrates the critical importance of extension security reviews and highlights the need for robust privacy controls within browser components that interact with user data and identifiers. The issue aligns with common attack patterns documented in the attack pattern taxonomy where persistent identifiers are used to maintain tracking across browsing sessions, representing a direct violation of user privacy expectations and browser security principles.