CVE-2025-6427: 
NixOS vulnerability analysis and mitigation

A Content Security Policy (CSP) bypass vulnerability was discovered in Firefox versions prior to 140, identified as CVE-2025-6427. The vulnerability was reported by security researcher Alan Li (lebr0nli) and was publicly disclosed on June 24, 2025. The issue affects the connect-src directive implementation in Firefox's Content Security Policy mechanism (Mozilla Advisory, NVD).

The vulnerability allows an attacker to bypass the connect-src directive of a Content Security Policy by manipulating subdocuments. A notable aspect of this vulnerability is that it also conceals the unauthorized connections from the Network tab in Firefox's Developer Tools, making detection more difficult. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high severity with potential for significant impact (NVD).

The vulnerability has been rated as having a moderate impact by Mozilla. The bypass of the Content Security Policy's connect-src directive could allow attackers to make unauthorized network connections from affected web pages, potentially leading to data exfiltration or unauthorized resource access. The ability to hide these connections from the Developer Tools further complicates detection and incident response efforts (Mozilla Advisory).

The vulnerability has been fixed in Firefox version 140. Users and administrators are advised to upgrade to Firefox 140 or later to protect against this security issue. No alternative workarounds have been publicly documented (Mozilla Advisory).