This vulnerability involves bypassing the connect-src directive of a Content Security Policy in Firefox and Thunderbird by manipulating subdocuments, which also conceals network connections from the Devtools Network tab. It was reported by Alan Li and tracked under Bug 1966927. The flaw was addressed and fixed in Firefox 140 and Thunderbird 140 releases. The CVSS 3.1 score is 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting a critical remote attack vector with high confidentiality and integrity impact but no availability impact.

An attacker exploiting this vulnerability could bypass CSP restrictions intended to control allowed network connections, potentially enabling unauthorized data exfiltration or communication with malicious endpoints. Additionally, the bypass hides these connections from the Network tab in Devtools, reducing visibility for developers and defenders. The vulnerability is rated critical with a high CVSS score of 9.1, indicating severe impact on confidentiality and integrity.

This vulnerability is fixed in Firefox 140 and Thunderbird 140. Users and administrators should upgrade to these versions or later to remediate the issue. No additional mitigation steps are required as the vendor advisory confirms the availability of an official fix.