CVE-2025-6432 is a high-severity vulnerability affecting Mozilla Firefox and Thunderbird versions prior to 140. The issue arises when the Multi-Account Containers feature is enabled. Under this configuration, DNS requests intended to be routed through a configured SOCKS proxy may instead leak outside the proxy under certain conditions. Specifically, if the domain name being resolved is invalid or if the SOCKS proxy is unresponsive, the DNS queries bypass the proxy and are sent directly to the DNS resolver. This behavior undermines the privacy and security guarantees expected from using a SOCKS proxy, which is often employed to anonymize or secure network traffic. The vulnerability is classified under CWE-200 (Information Exposure), indicating that sensitive information—in this case, DNS queries—can be exposed to unintended parties. The CVSS v3.1 base score is 8.6, reflecting a high impact on confidentiality (complete DNS query exposure), with limited impact on integrity and availability. The attack vector is network-based, requires no privileges or user interaction, and affects the confidentiality of user browsing data. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to users relying on SOCKS proxies for privacy, especially in environments where DNS query confidentiality is critical. The lack of a patch link suggests that fixes may be forthcoming or pending release. Overall, this vulnerability compromises the anonymity and security model of proxy usage in Firefox and Thunderbird when Multi-Account Containers are active, potentially allowing adversaries to monitor or infer user activity through DNS traffic analysis.

For European organizations, this vulnerability can have serious privacy and security implications. Many enterprises and governmental entities in Europe use SOCKS proxies or similar proxy configurations to enforce network segmentation, comply with data protection regulations (such as GDPR), and protect sensitive communications. The leakage of DNS requests outside the proxy can reveal internal or user browsing patterns to external observers, including malicious actors or unauthorized third parties. This exposure could lead to targeted attacks, surveillance, or data leakage, undermining organizational confidentiality policies. Additionally, sectors with high privacy requirements, such as finance, healthcare, and public administration, may face increased risks of information exposure. The vulnerability also threatens the effectiveness of privacy-preserving technologies used by journalists, activists, and researchers within Europe. Given the high CVSS score and the ease of exploitation (no authentication or user interaction required), the potential impact on confidentiality is significant, potentially leading to reputational damage, regulatory penalties, and loss of trust.

European organizations should take immediate steps to mitigate this vulnerability beyond generic advice: 1) Upgrade Firefox and Thunderbird to version 140 or later as soon as official patches become available to ensure the vulnerability is fully addressed. 2) Until patches are deployed, consider disabling the Multi-Account Containers feature if SOCKS proxies are used to route traffic, to prevent DNS leakage. 3) Implement network-level DNS filtering and monitoring to detect anomalous DNS requests that bypass proxies. 4) Use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) configured to operate strictly through the proxy to reduce DNS leakage risks. 5) Employ endpoint security solutions that can enforce proxy usage policies and alert on proxy bypass attempts. 6) Conduct internal audits to identify users or systems relying on SOCKS proxies with Multi-Account Containers enabled and provide targeted guidance. 7) For highly sensitive environments, consider alternative browsers or email clients with verified proxy handling until the vulnerability is resolved. 8) Educate users about the risks of proxy misconfigurations and the importance of applying updates promptly.