CVE-2025-6425: 
NixOS vulnerability analysis and mitigation

CVE-2025-6425 is a privacy vulnerability discovered in the WebCompat extension shipped with Mozilla Firefox and Thunderbird. The vulnerability was disclosed on June 24, 2025, and affects Firefox versions < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12. The issue was reported by security researcher Rob Wu and was assigned a moderate severity rating (Mozilla Advisory, NVD).

The vulnerability allows an attacker to enumerate resources from the WebCompat extension to obtain a persistent UUID that identifies the browser. This UUID persists between containers and normal/private browsing mode, though not between profiles. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and requiring user interaction (NVD).

The primary impact of this vulnerability is privacy-related, as it enables browser fingerprinting across different browsing contexts. An attacker could use the persistent UUID to track a user's browser across different containers and between normal and private browsing modes, potentially compromising user privacy and anonymity (Mozilla Advisory).

The vulnerability has been fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12. Users are advised to update their browsers to these versions or newer to mitigate the vulnerability. The fix involves changing the UUID handling in the WebCompat extension to prevent persistence between browsing sessions (Mozilla Advisory).