CVE-2025-5270 is a vulnerability discovered in Mozilla Firefox and Thunderbird prior to version 139, where the Server Name Indication (SNI) extension in TLS handshakes could be transmitted in plaintext even when encrypted DNS (such as DNS over HTTPS or DNS over TLS) is enabled. The SNI field reveals the hostname a client is attempting to connect to during the TLS handshake, which can be observed by network adversaries if not encrypted. Although encrypted DNS protects the DNS query content, the unencrypted SNI leaks the domain name, undermining user privacy and confidentiality. This vulnerability is categorized under CWE-319 (Cleartext Transmission of Sensitive Information). The CVSS v3.1 base score is 7.5 (high), reflecting that the vulnerability can be exploited remotely without authentication or user interaction, and it impacts confidentiality only. The flaw does not affect the integrity or availability of the browser or the system. No patches or exploits are currently publicly available, but the issue is acknowledged and tracked by Mozilla. The vulnerability is significant because it defeats the privacy benefits of encrypted DNS by exposing domain names to passive network observers, such as ISPs or malicious actors on the same network. This can lead to privacy violations, targeted surveillance, or profiling of user browsing habits.

For European organizations, this vulnerability poses a notable privacy risk, especially for entities relying on Firefox or Thunderbird for secure communications. The leakage of SNI information can expose sensitive browsing patterns or communication endpoints to network adversaries, including ISPs, corporate network monitors, or state-level actors. This is particularly concerning in Europe due to stringent data protection regulations like GDPR, which emphasize confidentiality and privacy. Organizations in sectors such as finance, healthcare, legal, and government could see increased risk of targeted surveillance or data leakage. Additionally, privacy-conscious users and activists may have their anonymity compromised. While the vulnerability does not allow code execution or system compromise, the exposure of domain names can facilitate further targeted attacks or profiling. The impact is magnified in environments where encrypted DNS is deployed to enhance privacy, as this vulnerability negates part of that protection.

The primary mitigation is to update Mozilla Firefox and Thunderbird to version 139 or later once official patches addressing this vulnerability are released. Until then, organizations should consider the following measures: 1) Employ network-level protections such as VPNs or encrypted tunnels that conceal SNI information from local network observers. 2) Use browsers or clients that support Encrypted Client Hello (ECH), which encrypts the SNI field, if available. 3) Monitor network traffic for unencrypted SNI leaks to identify potential exposure. 4) Educate users about the risk and encourage the use of updated software and secure browsing practices. 5) For high-security environments, consider alternative browsers or configurations that do not expose SNI or that implement ECH. 6) Coordinate with IT and security teams to ensure timely patch management and vulnerability scanning focused on client software versions. These steps go beyond generic advice by focusing on interim network protections and user awareness until patches are available.