CVE-2025-8031

{"id": "CVE-2025-8031", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-07-22T21:15:50.257", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1971719", "tags": ["Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-58/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-59/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-61/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-62/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-63/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00016.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1."}, {"lang": "es", "value": "La parte `username:password` no se elimin\u00f3 correctamente de las URL en los informes de CSP, lo que podr\u00eda filtrar credenciales de autenticaci\u00f3n b\u00e1sica HTTP. Esta vulnerabilidad afecta a Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13 y Thunderbird < 140.1."}], "lastModified": "2026-04-13T15:17:09.433", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "vulnerable": true, "matchCriteriaId": "7C22C9BA-7B86-487A-B0A4-419A0D163B56", "versionEndExcluding": "128.13.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "8684A46E-D70A-4830-8971-A6DCC360F422", "versionEndExcluding": "141.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "vulnerable": true, "matchCriteriaId": "BB48C2EF-A6AC-4445-9417-1B65D5BC509B", "versionEndExcluding": "140.1.0", "versionStartIncluding": "140.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "vulnerable": true, "matchCriteriaId": "B9BB9B0C-2B49-44EA-9BED-241A8CE8794E", "versionEndExcluding": "128.13.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "95D506DD-BD9B-4D90-802F-5BE673F1CF14", "versionEndExcluding": "141.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "vulnerable": true, "matchCriteriaId": "8CE266C2-5AF1-4C57-9B7C-47039FF06384", "versionEndExcluding": "140.1.0", "versionStartIncluding": "140.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}