CVE-2025-5270 is a high-severity vulnerability affecting Mozilla Firefox and Thunderbird versions prior to 139. The issue pertains to the Server Name Indication (SNI) extension in the TLS handshake process. Normally, when encrypted DNS (such as DNS over HTTPS or DNS over TLS) is enabled, the SNI should also be encrypted to prevent exposure of the hostname a user is connecting to. However, due to this vulnerability, in certain cases, the SNI was transmitted unencrypted despite encrypted DNS being active. This leakage occurs because the implementation failed to consistently encrypt the SNI, which is part of the TLS ClientHello message. The vulnerability is classified under CWE-319 (Cleartext Transmission of Sensitive Information), indicating that sensitive data—in this case, the hostname—could be exposed to network observers. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the vulnerability's network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as the hostname of the requested site could be exposed to passive attackers monitoring network traffic, even when users have taken steps to secure DNS queries. There is no indication of integrity or availability impact. No known exploits are currently in the wild, and no patches are linked yet, suggesting this is a recently disclosed issue. The vulnerability affects Firefox and Thunderbird users who rely on encrypted DNS to protect their browsing privacy, undermining the privacy guarantees of encrypted DNS by leaking the SNI in plaintext.

For European organizations, this vulnerability poses a significant privacy risk. Many enterprises and individuals in Europe use Firefox and Thunderbird with encrypted DNS to comply with stringent data protection regulations such as GDPR, which emphasize protecting user data and privacy. The leakage of SNI can allow network adversaries, including malicious insiders, ISPs, or state-level actors, to infer which websites or services users are accessing, potentially exposing sensitive business activities or user behavior. This could lead to targeted surveillance, profiling, or even industrial espionage. Although the vulnerability does not allow direct code execution or system compromise, the confidentiality breach could undermine trust in secure communications and lead to regulatory compliance issues. Organizations relying on Firefox or Thunderbird for secure communications should consider this vulnerability critical to address to maintain privacy standards and avoid potential legal repercussions related to data leakage.

Organizations should prioritize updating Firefox and Thunderbird to version 139 or later once patches are released by Mozilla. Until then, users should consider disabling encrypted DNS features in Firefox and Thunderbird to avoid a false sense of security, although this reduces overall DNS privacy. Network administrators can implement network-level protections such as enforcing DNS encryption via trusted DNS resolvers outside the client, or deploying VPNs that encapsulate DNS and TLS traffic to prevent SNI leakage. Additionally, organizations can monitor network traffic for unencrypted SNI fields to detect potential exposure. For highly sensitive environments, consider using browsers or clients that implement Encrypted ClientHello (ECH), which encrypts the entire ClientHello including SNI, as a more robust long-term solution. Finally, educating users about the limitations of encrypted DNS in affected versions and encouraging prompt software updates is critical.