CVE-2025-6425 is a privacy-related vulnerability found in the WebCompat WebExtension shipped with Mozilla Firefox versions prior to 140, Firefox ESR versions prior to 115.25, and Firefox ESR versions prior to 128.12. The WebCompat extension is designed to improve website compatibility by enabling certain fixes and workarounds. However, this vulnerability arises because the extension exposes a persistent universally unique identifier (UUID) that can be enumerated by an attacker. This UUID uniquely identifies the browser instance and remains persistent across different browsing contexts such as containers and normal or private browsing modes, although it does not persist across different Firefox profiles. An attacker capable of enumerating resources from the WebCompat extension could extract this UUID, effectively enabling cross-context tracking of the user’s browser. This undermines user privacy by allowing persistent identification and tracking despite the use of private browsing or container tabs, which are typically used to isolate browsing sessions and reduce tracking. The vulnerability does not require user authentication or interaction beyond visiting a malicious or compromised website that can access the WebCompat extension’s exposed resources. There are no known exploits in the wild at the time of publication, and no official patch links have been provided yet. The vulnerability does not affect the confidentiality or integrity of data directly but impacts user privacy and anonymity by leaking a persistent identifier. The scope affects all Firefox users on the specified vulnerable versions, which are widely used across personal, enterprise, and governmental environments.

For European organizations, the primary impact of CVE-2025-6425 is the erosion of user privacy and potential exposure to tracking and profiling by malicious actors. Organizations relying on Firefox for secure and private browsing, especially those handling sensitive or regulated data, may face increased risk of user identification and tracking across browsing sessions, undermining privacy compliance efforts such as those mandated by GDPR. This could lead to reputational damage, regulatory scrutiny, and potential legal consequences if user privacy is compromised. Additionally, sectors such as finance, healthcare, and government agencies that emphasize strong privacy controls could see increased risk of targeted profiling or surveillance. While the vulnerability does not directly allow code execution or data manipulation, the persistent UUID could be combined with other attack vectors to facilitate more sophisticated profiling or targeted attacks. The lack of requirement for user interaction or authentication means that any user visiting a malicious or compromised website could be affected, increasing the attack surface. Given Firefox’s significant market share in Europe, especially among privacy-conscious users and organizations, the impact is non-trivial.

1. Immediate mitigation involves updating Firefox to version 140 or later, or the corresponding ESR versions 115.25 or 128.12 once patches are officially released. Organizations should prioritize deploying these updates across all endpoints. 2. Until patches are available, organizations can consider disabling or restricting the WebCompat extension via enterprise policies or Firefox configuration settings to prevent exposure of the UUID. 3. Employ network-level protections such as web filtering and intrusion detection systems to block or monitor suspicious requests attempting to enumerate extension resources. 4. Educate users about the risks of visiting untrusted websites and encourage the use of additional privacy tools such as VPNs or privacy-focused browser extensions that limit fingerprinting and tracking. 5. For high-security environments, consider using separate Firefox profiles or browsers that are not affected by this vulnerability to isolate sensitive browsing activities. 6. Monitor Mozilla security advisories closely for official patches and guidance, and test updates in controlled environments before wide deployment. 7. Review and enhance organizational privacy policies and incident response plans to address potential privacy breaches stemming from tracking vulnerabilities.