VulnerableCode Package Details - pkg:rpm/redhat/firefox@128.12.0-1?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-j6w1-yhc3-uqfw Aliases: CVE-2025-6425	An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles.	There are no reported fixed by versions.
VCID-mrb2-hz9y-4ufp Aliases: CVE-2025-6430	When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack.	There are no reported fixed by versions.
VCID-r29z-4m4j-8kft Aliases: CVE-2025-6424	A use-after-free in FontFaceSet resulted in a potentially exploitable crash.	There are no reported fixed by versions.
VCID-s89g-7f5f-5qd2 Aliases: CVE-2025-6429	Thunderbird could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-j6w1-yhc3-uqfw
Aliases:
CVE-2025-6425

An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles.

There are no reported fixed by versions.

VCID-mrb2-hz9y-4ufp
Aliases:
CVE-2025-6430

When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a <embed> or <object> tag, potentially making a website vulnerable to a cross-site scripting attack.

There are no reported fixed by versions.

VCID-r29z-4m4j-8kft
Aliases:
CVE-2025-6424

A use-after-free in FontFaceSet resulted in a potentially exploitable crash.

There are no reported fixed by versions.

VCID-s89g-7f5f-5qd2
Aliases:
CVE-2025-6429

Thunderbird could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an embed tag. This could have bypassed website security checks that restricted which domains users were allowed to embed.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:39:05.470326+00:00	RedHat Importer	Affected by	VCID-j6w1-yhc3-uqfw	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6425.json	38.0.0
2026-04-01T13:39:04.559317+00:00	RedHat Importer	Affected by	VCID-r29z-4m4j-8kft	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6424.json	38.0.0
2026-04-01T13:39:03.702689+00:00	RedHat Importer	Affected by	VCID-s89g-7f5f-5qd2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6429.json	38.0.0
2026-04-01T13:39:02.799197+00:00	RedHat Importer	Affected by	VCID-mrb2-hz9y-4ufp	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6430.json	38.0.0