CVE-2025-6430 in Firefoxinfo

Summary

by MITRE • 06/24/2025

When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 08/17/2025

This vulnerability represents a critical security flaw in Mozilla Firefox browsers that stems from improper handling of content disposition headers when files are embedded within web pages. The issue manifests when a web application attempts to force file downloads through the Content-Disposition header while simultaneously embedding that same file using HTML embed or object tags. The browser's inconsistent behavior creates a potential attack vector that could be exploited by malicious actors to bypass intended security restrictions and execute cross-site scripting attacks.

The technical root cause lies in Firefox's inconsistent interpretation of the Content-Disposition header when files are loaded through different embedding mechanisms. When a file is included via `<embed>` or `<object>` tags, the browser ignores the Content-Disposition directive that would normally trigger a download prompt or prevent execution of potentially malicious content. This behavior creates a security boundary that should maintain strict content isolation but instead allows for dangerous content execution. The vulnerability specifically affects Firefox versions prior to 140 and Firefox ESR versions prior to 128.12, indicating this was a widespread issue across multiple browser release channels.

The operational impact of this vulnerability is significant as it allows attackers to manipulate how files are processed and displayed within the browser context. When an attacker can control the Content-Disposition header for embedded content, they can potentially bypass security measures designed to prevent automatic execution of scripts or other malicious content. This creates opportunities for cross-site scripting attacks where malicious code could be injected and executed within the context of the victim's browser session, potentially leading to session hijacking, data theft, or further exploitation of the user's browser environment.

From a cybersecurity perspective, this vulnerability aligns with CWE-1004 which addresses insecure default settings and improper handling of security-critical headers. The flaw also maps to ATT&CK technique T1203 which involves exploitation of web browsers through manipulation of content delivery mechanisms. The vulnerability essentially creates a pathway for attackers to subvert browser security models that are designed to prevent automatic execution of embedded content while maintaining download restrictions. Organizations using affected Firefox versions should prioritize immediate patching to prevent exploitation, as the vulnerability represents a direct threat to browser security boundaries and user data protection. The issue demonstrates the importance of consistent security behavior across all content handling mechanisms within web browsers and underscores the critical need for proper header validation and content disposition enforcement regardless of how files are embedded or accessed within web pages.

Responsible

Mozilla

Reservation

06/20/2025

Disclosure

06/24/2025

Moderation

accepted

CPE

ready

EPSS

0.00215

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!