QwikSec

Security Database

CVE

CWE

Training

CVE-2025-6429

Published: Jun 24, 2025

Modified: Apr 13, 2026

PUBLISHED

Description

Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability was fixed in Firefox 140, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Vendor	Product	Versions
Mozilla	Firefox	unaffected `128.12 - <= 128.` unaffected `140 - <= `
Mozilla	Thunderbird	unaffected `128.12 - <= 128.` unaffected `140 - <= `

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1970658

https://www.mozilla.org/security/advisories/mfsa2025-51/

https://www.mozilla.org/security/advisories/mfsa2025-53/

https://www.mozilla.org/security/advisories/mfsa2025-54/

https://www.mozilla.org/security/advisories/mfsa2025-55/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.