CVE-2025-6430 is a cross-site scripting (XSS) vulnerability identified in Mozilla Firefox and Thunderbird products, specifically affecting Firefox versions prior to 140 and ESR versions before 128.12, as well as Thunderbird versions before 140 and ESR before 128.12. The vulnerability stems from the improper handling of the Content-Disposition HTTP header when a file download is specified. Normally, the Content-Disposition header instructs the browser to treat the response as a downloadable file, controlling the filename and disposition. However, when the file is embedded within a webpage using <embed> or <object> HTML tags, Firefox and Thunderbird ignore this header. This oversight allows an attacker to craft malicious web content that embeds a file with a manipulated Content-Disposition header, enabling the injection and execution of arbitrary scripts within the context of the vulnerable browser. This XSS flaw is classified under CWE-79, indicating a failure to properly sanitize or handle untrusted input leading to script injection. The vulnerability has a CVSS 3.1 base score of 6.1, reflecting a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates that the attack can be launched remotely over the network with low attack complexity, requires no privileges, but does require user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity but not availability. No known exploits have been reported in the wild at the time of publication. The vulnerability was publicly disclosed on June 24, 2025, with no patches linked yet, suggesting that fixes may be forthcoming. This vulnerability could be leveraged by attackers to execute malicious scripts, steal sensitive information, or perform actions on behalf of the user within the browser context, potentially leading to session hijacking or data theft.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of data accessed or processed via Firefox and Thunderbird clients. Organizations relying on these browsers for web applications, especially those handling sensitive information such as financial data, personal information, or intellectual property, could be targeted by attackers exploiting this XSS flaw to execute malicious scripts. This could lead to unauthorized data access, session hijacking, or the injection of malicious payloads that compromise user trust and system security. The requirement for user interaction means phishing or social engineering campaigns could be used to lure users into visiting maliciously crafted web pages. The vulnerability's exploitation could disrupt secure communications and data handling, impacting compliance with GDPR and other data protection regulations. Additionally, sectors such as government, finance, healthcare, and critical infrastructure in Europe, which often use Firefox due to its open-source nature and privacy features, may face elevated risks. The absence of known exploits currently provides a window for proactive mitigation, but the medium severity and scope change indicate that the threat could escalate if exploited widely.

1. Immediate mitigation should focus on upgrading Firefox and Thunderbird to versions 140 or later, and ESR versions 128.12 or later, once patches are released by Mozilla. 2. Until patches are available, organizations should enforce strict Content Security Policies (CSP) that restrict the execution of scripts from embedded content and untrusted sources, minimizing the risk of XSS exploitation. 3. Educate users about the risks of interacting with untrusted web content, especially embedded files, to reduce successful phishing or social engineering attempts. 4. Employ web filtering and endpoint protection solutions that can detect and block malicious web pages or payloads exploiting this vulnerability. 5. Monitor network traffic and browser logs for unusual activity indicative of attempted exploitation, such as unexpected script execution or anomalous embedded content. 6. Consider disabling or restricting the use of <embed> and <object> tags in internal web applications or content where feasible. 7. Coordinate with IT and security teams to prioritize patch management and vulnerability scanning focused on browser and email client versions. 8. Review and update incident response plans to include scenarios involving browser-based XSS attacks to ensure rapid containment and remediation.