CVE-2025-6434 is a vulnerability affecting Mozilla Firefox and Thunderbird versions prior to 140, specifically related to the HTTPS-Only feature designed to enforce secure connections by default. When a user attempts to access a website over HTTP, Firefox displays an exception page allowing the user to grant an exception to load the site insecurely. However, this exception page lacks an anti-clickjacking delay, a security control that prevents attackers from overlaying or framing the page to trick users into unintended clicks. Without this delay, an attacker can craft a malicious webpage that invisibly frames the exception page and induces the user to click, thereby granting an exception to load the site over HTTP. This undermines the HTTPS-Only feature’s intent, potentially exposing users to man-in-the-middle attacks, content tampering, or eavesdropping. The vulnerability does not require any privileges or authentication but does require user interaction (clicking). The CVSS v3.1 base score is 4.3 (medium), reflecting the network attack vector, low complexity, no privileges required, but user interaction needed, and limited impact confined to integrity (no confidentiality or availability impact). No public exploits have been reported yet. The vulnerability is tracked under CWE-1021 (Improper Restriction of Rendered UI Layers or Frames). No patches or updates were linked at the time of publication, but users are advised to update to Firefox/Thunderbird 140 or later once available. This vulnerability highlights the importance of UI security controls like anti-clickjacking delays in browser security features.

For European organizations, this vulnerability could lead to users unintentionally allowing insecure HTTP connections despite HTTPS-Only mode, increasing exposure to man-in-the-middle attacks, data tampering, or injection of malicious content. This is particularly concerning for organizations handling sensitive information or relying on secure web communications for internal or customer-facing services. Attackers could exploit this vulnerability to bypass HTTPS enforcement policies, potentially compromising the integrity of data exchanged or the authenticity of websites accessed. While confidentiality and availability are not directly impacted, the integrity compromise could facilitate phishing, malware delivery, or session hijacking. The requirement for user interaction means that social engineering or targeted phishing campaigns could be used to exploit this vulnerability. European sectors such as finance, government, healthcare, and critical infrastructure, which mandate strict secure communication protocols, could face increased risk if users are tricked into granting HTTP exceptions. The lack of known exploits in the wild currently limits immediate risk, but the vulnerability should be addressed proactively.

1. Update Firefox and Thunderbird to version 140 or later as soon as these versions are released, as they are expected to include fixes for this vulnerability. 2. Until updates are available, educate users about the risks of granting HTTPS exceptions and instruct them to avoid allowing exceptions unless absolutely necessary. 3. Implement browser configuration policies (e.g., via Group Policy or enterprise management tools) to restrict or disable the ability to grant HTTPS exceptions, especially on managed devices. 4. Employ network-level protections such as HTTPS inspection and strict transport security (HSTS) policies to reduce reliance on client-side exception handling. 5. Monitor user behavior and web traffic for signs of suspicious framing or clickjacking attempts, and consider deploying browser extensions or security tools that detect and block clickjacking. 6. Conduct phishing awareness training emphasizing the risks of interacting with unexpected browser prompts or unusual webpage behaviors. 7. For critical systems, consider using hardened browsers or security-hardened profiles that limit user override of HTTPS enforcement.