CVE-2025-8031

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-8031
The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1971719
https://www.mozilla.org/security/advisories/mfsa2025-56/
https://www.mozilla.org/security/advisories/mfsa2025-58/
https://www.mozilla.org/security/advisories/mfsa2025-59/
https://www.mozilla.org/security/advisories/mfsa2025-61/
https://www.mozilla.org/security/advisories/mfsa2025-62/
https://www.mozilla.org/security/advisories/mfsa2025-63/
Configurations

No configuration.

History

23 Jul 2025, 14:15

Type Values Removed Values Added
Summary
  • (es) La parte `username:password` no se eliminó correctamente de las URL en los informes de CSP, lo que podría filtrar credenciales de autenticación básica HTTP. Esta vulnerabilidad afecta a Firefox &lt; 141, Firefox ESR &lt; 128.13, Firefox ESR &lt; 140.1, Thunderbird &lt; 141, Thunderbird &lt; 128.13 y Thunderbird &lt; 140.1.
CWE CWE-276
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

22 Jul 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-22 21:15

Updated : 2025-07-25 15:29

NVD link : CVE-2025-8031

Mitre link : CVE-2025-8031

CVE.ORG link : CVE-2025-8031

JSON object : View

Products Affected

No product.

CWE
CWE-276

Incorrect Default Permissions