CVE-2025-6425: 
Mozilla Firefox vulnerability analysis and mitigation

CVE-2025-6425 is a privacy vulnerability discovered in the WebCompat WebExtension shipped with Firefox. The vulnerability was disclosed on June 24, 2025, affecting Firefox versions < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12. The issue was reported by security researcher Rob Wu and was classified as having moderate impact (Mozilla Advisory).

The vulnerability stems from the WebCompat extension exposing a persistent UUID through enumerable resources via the webRequest API. This UUID persisted between containers and normal/private browsing mode, though not across profiles. The vulnerability has been assigned a CVSS 3.1 Base Score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating a low-complexity network attack vector with user interaction required (NVD).

The vulnerability allowed attackers to obtain a persistent UUID that could be used to track users across different browsing contexts, including both normal and private browsing modes, as well as across containers. This tracking capability persisted until the browser profile was changed, potentially enabling long-term user tracking (Mozilla Advisory, Bugzilla).

The vulnerability was patched in Firefox 140, Firefox ESR 115.25, and Firefox ESR 128.12. The fix involved changing the UUID of the WebCompat extension and ensuring it would not persist in a way that could enable tracking. The patch was verified to be safe as the WebCompat add-on does not rely on the persisted UUID for its functionality (Bugzilla).