CVE-2025-6433CRITICAL 9.8EPSS p15.3%

CVE-2025-6433CVE-2025-6433

Description

If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability was fixed in Firefox 140 and Thunderbird 140.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.24% probability of exploitation · percentile 15.3% · 2026-06-19T12:03:05Z
Published2025-06-24
Last modified2026-04-13

Underlying weaknesses· 1

CWE-295

References

  1. https://bugzilla.mozilla.org/show_bug.cgi?id=1954033
  2. https://www.mozilla.org/security/advisories/mfsa2025-51/
  3. https://www.mozilla.org/security/advisories/mfsa2025-54/

1

TypeTargetConfidenceTier
WeaknessImproper Certificate Validationcwe-2950%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-1014
CVE
CVE-2025-6432
CVE
CVE-2026-2800
CVE
CVE-2025-10534
CVE
CVE-2026-6771
CVE
CVE-2025-8031
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.