CVE-2025-5270 is a high-severity vulnerability affecting Mozilla Firefox and Thunderbird versions prior to 139. The issue involves the Server Name Indication (SNI) extension in the TLS handshake, which is intended to be encrypted when encrypted DNS (such as DNS over HTTPS or DNS over TLS) is enabled. However, due to this vulnerability, in certain cases, the SNI was transmitted unencrypted despite encrypted DNS being active. The SNI reveals the hostname a client is attempting to connect to, which can expose user browsing intentions and potentially sensitive information to network observers. This vulnerability is classified under CWE-319, indicating the transmission of sensitive information in cleartext. The CVSS v3.1 score is 7.5 (high), reflecting that the vulnerability can be exploited remotely without authentication or user interaction, and it results in a complete loss of confidentiality for the hostname information. While the integrity and availability of the connection are not impacted, the exposure of SNI data undermines user privacy and could facilitate targeted surveillance or censorship. No known exploits are reported in the wild yet, and no patches are linked at this time, indicating that mitigation may require updating to Firefox/Thunderbird 139 or later once available. The vulnerability affects all users of the impacted Mozilla products who rely on encrypted DNS to protect their browsing metadata, especially in environments where network traffic is monitored or filtered.

For European organizations, this vulnerability poses a significant privacy risk. Many enterprises and individuals in Europe use Firefox and Thunderbird as primary browsers and email clients, often with encrypted DNS enabled to comply with privacy regulations such as GDPR. The unencrypted SNI leaks hostname information, potentially exposing browsing patterns, internal domains, or communication endpoints to network adversaries, including malicious actors or state-level surveillance. This could lead to targeted attacks, industrial espionage, or violation of privacy laws. Organizations handling sensitive data, such as financial institutions, healthcare providers, and government agencies, are particularly at risk. Moreover, the exposure could undermine trust in encrypted DNS solutions, which are increasingly adopted in Europe to enhance privacy. Although the vulnerability does not allow direct code execution or service disruption, the confidentiality breach can have cascading effects on organizational security posture and compliance.

European organizations should prioritize updating Mozilla Firefox and Thunderbird to version 139 or later as soon as patches become available. Until then, they should consider disabling encrypted DNS in these applications if the risk of SNI exposure outweighs the benefits, or use alternative browsers and email clients with verified SNI encryption. Network administrators can deploy TLS 1.3 with Encrypted Client Hello (ECH) support where possible, which encrypts SNI more robustly. Monitoring network traffic for unencrypted SNI leaks can help detect exploitation attempts. Additionally, organizations should educate users about this vulnerability and encourage cautious browsing behavior on untrusted networks. Implementing network-level protections such as VPNs or secure proxies can further reduce exposure. Finally, maintaining up-to-date threat intelligence feeds and vendor advisories will ensure timely response to any emerging exploits.