CRITICAL🇵🇱 Wersja polska

CVE-2025-8031

CVSS 9.8v3.1pub. 2025-07-22upd. 2026-04-13

The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

🤖 AI Analysis
How it works

A browser or email client should remove the `username:password` fragment from URLs before including them in CSP reports sent to the server. In vulnerable versions, this mechanism did not work correctly, so the full URL containing authentication credentials was saved and transmitted in the CSP report content. An attacker controlling the CSP report reception point or able to intercept them could read this data.

Impact

An attacker can obtain HTTP Basic Authentication credentials (login and password) of a user, which may lead to account takeover and unauthorized access to protected resources.

Mitigation & patch

Update to Firefox 141, Firefox ESR 128.13 or Firefox ESR 140.1, and Thunderbird 141, Thunderbird 128.13 or Thunderbird 140.1, in which the vulnerability has been fixed.

Who is affected

Mozilla Firefox before version 141 and Firefox ESR before versions 128.13 and 140.1; Mozilla Thunderbird before version 141 and Thunderbird ESR before versions 128.13 and 140.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 128.13.0< 141.0140.0 – 140.1.0 (bez)
  • Mozilla Thunderbird

    APP
    Mozilla
    < 128.13.0< 141.0140.0 – 140.1.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...