CVE-2025-6432 in Firefox
Summary
by MITRE • 06/24/2025
When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This vulnerability affects Firefox < 140.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/17/2025
This vulnerability resides within the Firefox browser's handling of network requests when the Multi-Account Containers extension is active. The flaw specifically manifests in how the browser manages DNS resolution and proxy routing for domains that either do not exist or whose DNS servers are unreachable. When a user attempts to access a website through a SOCKS proxy while using Multi-Account Containers, the browser fails to properly enforce proxy rules for invalid domain names or when the proxy server is unresponsive. This represents a significant security gap that could allow malicious actors to bypass intended network controls and potentially access resources that should be restricted through the proxy infrastructure.
The technical implementation of this vulnerability stems from the browser's failure to maintain consistent proxy enforcement across all network request scenarios. When DNS resolution fails or times out, the Multi-Account Containers extension does not properly fall back to the configured SOCKS proxy settings, instead allowing direct network access to invalid domains. This behavior creates an attack surface where users might inadvertently or maliciously bypass network security policies that are meant to route all traffic through specific proxy servers for monitoring, filtering, or access control purposes. The vulnerability is classified under CWE-693 as "Protection Mechanism Failure" and aligns with ATT&CK technique T1071.1001 for application layer protocol: DNS, where adversaries may exploit such bypass mechanisms to circumvent network controls.
The operational impact of this vulnerability extends beyond simple privacy concerns to encompass potential data exfiltration, unauthorized access to internal resources, and bypass of corporate security policies. Organizations that rely on SOCKS proxies for network segmentation, content filtering, or monitoring may find their security measures compromised when users access invalid domains through Firefox with Multi-Account Containers enabled. This could lead to exposure of sensitive information, violation of compliance requirements, and potential breaches through direct connections to malicious sites. The vulnerability affects all Firefox versions prior to 140, making it particularly concerning for organizations with delayed update cycles or restricted deployment processes. Users operating in environments where network traffic must be controlled through proxy infrastructure face significant risk when this vulnerability is present.
Mitigation strategies should prioritize immediate patching of affected Firefox versions to 140 or later, which contains the necessary fixes for proper proxy enforcement. Organizations should also implement network monitoring to detect unauthorized direct connections that may indicate exploitation attempts. Additional controls include disabling or restricting the Multi-Account Containers extension in environments where strict proxy enforcement is required, implementing network segmentation to limit access to critical resources, and conducting regular security assessments to identify potential bypass mechanisms. Security teams should also consider deploying network intrusion detection systems that can identify anomalous DNS resolution patterns or direct connections that could indicate exploitation of this vulnerability. The fix addresses the underlying issue by ensuring that invalid DNS requests properly route through configured proxy servers rather than allowing direct access, thereby maintaining the intended security posture of network infrastructure.