CVE-2025-6435 is a vulnerability identified in Mozilla Firefox and Thunderbird prior to version 140, categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue arises when a user saves a network response via the Developer Tools Network tab using the 'Save As' context menu option. Instead of appending the expected '.download' file extension, the saved file may retain its original extension, which could be an executable or other malicious file type. This improper handling increases the risk that a user might inadvertently execute a malicious file, potentially leading to arbitrary code execution or system compromise. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity, with attack vector as network (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits have been reported in the wild yet. The vulnerability affects all Firefox and Thunderbird versions prior to 140, though exact affected versions are unspecified. The root cause is related to improper file extension handling when saving network responses, which can be exploited by attackers who can trick users into saving malicious responses. This vulnerability highlights the risks associated with developer tools features that interact with file systems without sufficient safeguards.

For European organizations, this vulnerability poses a significant risk, especially for those relying heavily on Firefox and Thunderbird for daily operations, including software development, communication, and web browsing. The inadvertent execution of malicious files can lead to severe consequences such as data breaches, ransomware infections, or full system compromise. Confidentiality, integrity, and availability of sensitive organizational data could be severely impacted. Given the high CVSS score and the lack of required user interaction beyond saving a file, attackers could exploit this vulnerability remotely by convincing users to save malicious responses. This is particularly concerning for sectors with high security requirements such as finance, government, healthcare, and critical infrastructure. The absence of known exploits in the wild provides a window for proactive mitigation, but the potential for rapid exploitation remains. Additionally, the vulnerability could be leveraged in targeted attacks or supply chain compromises where malicious payloads are delivered via network responses.

1. Immediate upgrade to Mozilla Firefox and Thunderbird version 140 or later, where this vulnerability is addressed. 2. Implement endpoint security policies that restrict execution of files without verified extensions or from untrusted sources, including blocking execution of files saved from browser developer tools. 3. Educate users, especially developers and IT staff, about the risks of saving and executing files from network responses and the importance of verifying file extensions before execution. 4. Employ application whitelisting to prevent unauthorized executables from running, particularly those originating from user downloads or developer tools. 5. Monitor network traffic and endpoint logs for suspicious file save activities or execution attempts related to developer tools usage. 6. Consider disabling or restricting access to the Developer Tools Network tab for non-technical users or in high-security environments. 7. Coordinate with IT security teams to integrate this vulnerability into vulnerability management and incident response workflows to ensure rapid detection and remediation.