CVE-2025-0239 is a vulnerability affecting Mozilla Firefox versions prior to 134 and Thunderbird versions prior to 134 and ESR versions prior to 128.6. The issue arises from improper validation of ALPN certificates during the use of Alt-Svc, a mechanism that allows HTTP/2 or HTTP/3 connections to be redirected to alternative services. Specifically, when the original server redirects to an insecure site, Firefox and Thunderbird fail to properly validate the certificates associated with the ALPN negotiation. This improper validation can be exploited by an attacker positioned to intercept or manipulate network traffic (local attacker) to redirect users to insecure endpoints without triggering certificate validation errors. The vulnerability is classified under CWE-295, which involves improper certificate validation leading to potential man-in-the-middle (MITM) attacks that compromise the integrity of communications. The CVSS v3.1 score is 4.0 (medium severity), reflecting that the attack vector is local (AV:L), requires low attack complexity (AC:L), no privileges (PR:N), no user interaction (UI:N), and impacts integrity (I:L) but not confidentiality or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability affects core Mozilla products widely used for web browsing and email, which rely heavily on secure TLS connections and proper certificate validation to maintain trust and security in communications.

For European organizations, this vulnerability poses a risk primarily to the integrity of web and email communications conducted via affected versions of Firefox and Thunderbird. An attacker with local network access could exploit this flaw to redirect users to insecure sites or intercept communications, potentially injecting malicious content or altering data in transit. While confidentiality and availability are not directly impacted, the integrity compromise could facilitate further attacks such as phishing, malware delivery, or data manipulation. Organizations in sectors with high security requirements—such as finance, government, healthcare, and critical infrastructure—may face increased risk due to the reliance on secure communications. The vulnerability could undermine trust in secure connections, especially in environments where Alt-Svc is used to optimize network performance or redirect traffic. Given the medium severity and local attack vector, the threat is more relevant in environments where attackers have network proximity, such as public Wi-Fi, corporate networks, or compromised internal segments.

1. Update affected Mozilla Firefox and Thunderbird installations to versions 134 or later, or ESR 128.6 or later, as soon as patches become available. 2. Until patches are applied, disable Alt-Svc support in Firefox and Thunderbird via configuration settings (e.g., about:config) to prevent the use of alternative services that trigger the vulnerability. 3. Monitor network traffic for suspicious redirects involving Alt-Svc headers, especially redirects to insecure (non-HTTPS) sites. 4. Employ network segmentation and strong access controls to limit local network attacker capabilities, reducing the risk of man-in-the-middle attacks. 5. Educate users about the risks of using unsecured Wi-Fi networks and encourage the use of VPNs to protect local network traffic. 6. Implement network-level TLS interception detection tools to identify anomalous certificate behavior or unexpected redirects. 7. Coordinate with IT and security teams to audit and update security policies regarding browser and email client configurations to minimize exposure.