{
  "threat_severity" : "Moderate",
  "public_date" : "2025-06-24T12:28:01Z",
  "bugzilla" : {
    "description" : "firefox: connect-src Content Security Policy restriction could be bypassed",
    "id" : "2374565",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2374565"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
    "status" : "draft"
  },
  "details" : [ "An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability was fixed in Firefox 140 and Thunderbird 140.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: An attacker is able to bypass the <code>connect-src</code> directive of a Content Security Policy by manipulating subdocuments. This also hides the connections from the Network tab in Devtools." ],
  "statement" : "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "rhel10/firefox-flatpak",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-6427\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-6427\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1966927\nhttps://www.mozilla.org/security/advisories/mfsa2025-51/" ],
  "name" : "CVE-2025-6427",
  "csaw" : false
}