CVE-2025-6430

Name of the Vulnerable Software and Affected Versions: Firefox versions prior to 140 Firefox ESR versions prior to 128.12

Description: The issue arises when a file download is specified via the Content-Disposition header, but this directive is ignored if the file is included via an <embed> or <object> tag. This could make a website vulnerable to a cross-site scripting attack. The vulnerability is related to the HTTP Header Handler component of Mozilla Firefox and Firefox ESR, which fails to protect the web page structure when handling the Content-Disposition parameter. Exploitation of this vulnerability could allow a remote attacker to conduct cross-site scripting attacks.

Recommendations: For Firefox versions prior to 140, update to version 140 or later to resolve the issue. For Firefox ESR versions prior to 128.12, update to version 128.12 or later to resolve the issue. As a temporary workaround, consider disabling the use of <embed> and <object> tags in web pages until the issue is resolved. Restrict access to potentially vulnerable web pages to minimize the risk of exploitation.