CVE-2025-6430 in Firefox
Summary
by MITRE • 06/24/2025
When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/17/2025
This vulnerability represents a critical security flaw in Mozilla Firefox browsers that stems from improper handling of content disposition headers when files are embedded within web pages. The issue manifests when a web application attempts to force file downloads through the Content-Disposition header while simultaneously embedding that same file using HTML embed or object tags. The browser's inconsistent behavior creates a potential attack vector that could be exploited by malicious actors to bypass intended security restrictions and execute cross-site scripting attacks.
The technical root cause lies in Firefox's inconsistent interpretation of the Content-Disposition header when files are loaded through different embedding mechanisms. When a file is included via `<embed>` or `<object>` tags, the browser ignores the Content-Disposition directive that would normally trigger a download prompt or prevent execution of potentially malicious content. This behavior creates a security boundary that should maintain strict content isolation but instead allows for dangerous content execution. The vulnerability specifically affects Firefox versions prior to 140 and Firefox ESR versions prior to 128.12, indicating this was a widespread issue across multiple browser release channels.
The operational impact of this vulnerability is significant as it allows attackers to manipulate how files are processed and displayed within the browser context. When an attacker can control the Content-Disposition header for embedded content, they can potentially bypass security measures designed to prevent automatic execution of scripts or other malicious content. This creates opportunities for cross-site scripting attacks where malicious code could be injected and executed within the context of the victim's browser session, potentially leading to session hijacking, data theft, or further exploitation of the user's browser environment.
From a cybersecurity perspective, this vulnerability aligns with CWE-1004 which addresses insecure default settings and improper handling of security-critical headers. The flaw also maps to ATT&CK technique T1203 which involves exploitation of web browsers through manipulation of content delivery mechanisms. The vulnerability essentially creates a pathway for attackers to subvert browser security models that are designed to prevent automatic execution of embedded content while maintaining download restrictions. Organizations using affected Firefox versions should prioritize immediate patching to prevent exploitation, as the vulnerability represents a direct threat to browser security boundaries and user data protection. The issue demonstrates the importance of consistent security behavior across all content handling mechanisms within web browsers and underscores the critical need for proper header validation and content disposition enforcement regardless of how files are embedded or accessed within web pages.