CVE-2025-8031CRITICAL 9.8EPSS p33.2%

CVE-2025-8031CVE-2025-8031

Description

The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.42% probability of exploitation · percentile 33.2% · 2026-06-19T12:03:05Z
Published2025-07-22
Last modified2026-04-13

Underlying weaknesses· 1

CWE-276

References

  1. https://bugzilla.mozilla.org/show_bug.cgi?id=1971719
  2. https://www.mozilla.org/security/advisories/mfsa2025-56/
  3. https://www.mozilla.org/security/advisories/mfsa2025-58/
  4. https://www.mozilla.org/security/advisories/mfsa2025-59/
  5. https://www.mozilla.org/security/advisories/mfsa2025-61/
  6. https://www.mozilla.org/security/advisories/mfsa2025-62/
  7. https://www.mozilla.org/security/advisories/mfsa2025-63/
  8. https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html

1

TypeTargetConfidenceTier
WeaknessIncorrect Default Permissionscwe-2760%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-8032
CVE
CVE-2025-8030
CVE
CVE-2025-8029
CVE
CVE-2025-8039
CVE
CVE-2026-8950
CVE
CVE-2025-8036
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.