CVE-2025-6429

MEDIUM 6.5

Incorrect parsing of URLs could have allowed embedding of youtube.com

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Vendor	mozilla
Product	firefox
Ecosystems	Browser JavaScript
Industries	Technology
Published	Jun 24, 2025
Last Updated	Apr 13, 2026

Stay Ahead of the Next One

Get instant alerts for mozilla firefox

Be the first to know when new medium vulnerabilities affecting mozilla firefox are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Mozilla / Firefox

All versions affected

Mozilla / Thunderbird

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

bugzilla.mozilla.org: https://bugzilla.mozilla.org/show_bug.cgi?id=1970658 mozilla.org: https://www.mozilla.org/security/advisories/mfsa2025-51/ mozilla.org: https://www.mozilla.org/security/advisories/mfsa2025-53/ mozilla.org: https://www.mozilla.org/security/advisories/mfsa2025-54/ mozilla.org: https://www.mozilla.org/security/advisories/mfsa2025-55/ lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/07/msg00002.html lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/06/msg00029.html

Credits

Masato Kinugawa