CVE-2025-6434 is a medium-severity vulnerability affecting Mozilla Firefox and Thunderbird versions prior to 140. The issue lies in the HTTPS-Only mode exception screen, which is presented to users when they attempt to access a website over HTTP rather than HTTPS. This screen allows users to grant an exception to load the site over HTTP despite the HTTPS-Only policy. However, the exception page lacked an anti-clickjacking delay mechanism, which is a security control designed to prevent malicious overlays or UI redressing attacks. Without this delay, an attacker could craft a malicious webpage that tricks a user into clicking on the exception prompt unintentionally, thereby granting the exception and allowing the site to load over an insecure HTTP connection. This undermines the security guarantees of HTTPS-Only mode by enabling forced downgrades to HTTP, potentially exposing users to man-in-the-middle attacks or eavesdropping. The vulnerability does not impact confidentiality directly but affects integrity by allowing an attacker to bypass HTTPS enforcement. Exploitation requires user interaction (UI:R) but no privileges or authentication. The vulnerability is classified under CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), indicating a failure to properly protect UI elements from clickjacking. There are no known exploits in the wild as of the publication date, and no patch links were provided in the source data, but it is expected that Mozilla would address this in upcoming releases. The CVSS score is 4.3 (medium), reflecting the limited impact and required user interaction.

For European organizations, this vulnerability could weaken the security posture of users relying on Firefox or Thunderbird's HTTPS-Only mode, especially in environments where sensitive data is accessed via web applications. Attackers could exploit this flaw to bypass HTTPS enforcement, exposing users to interception or manipulation of data transmitted over HTTP. This is particularly concerning for sectors handling personal data under GDPR, financial services, and government entities where secure communications are critical. While the vulnerability requires user interaction, phishing or social engineering campaigns could leverage this to trick employees into allowing insecure connections, increasing the risk of credential theft or data leakage. The impact is more pronounced in organizations with strict HTTPS policies relying on browser enforcement rather than network-level controls. However, since the vulnerability does not allow direct code execution or privilege escalation, the overall risk is moderate but non-negligible.

European organizations should ensure that all Firefox and Thunderbird installations are updated to version 140 or later once patches are released by Mozilla. Until then, organizations can mitigate risk by disabling HTTPS-Only mode or restricting its use to trusted sites only, reducing exposure to the exception screen. User awareness training should emphasize caution when interacting with browser prompts and exception dialogs, highlighting the risk of clickjacking attacks. Network-level controls such as enforcing HTTPS via HTTP Strict Transport Security (HSTS) policies and web proxies can reduce reliance on client-side enforcement. Additionally, deploying Content Security Policy (CSP) headers that prevent framing or embedding of sensitive pages can help mitigate clickjacking risks. Monitoring for suspicious user behavior or unusual exception grants may also help detect exploitation attempts. Finally, organizations should track Mozilla security advisories closely to apply patches promptly.