CVE-2025-6430: 
NixOS vulnerability analysis and mitigation

CVE-2025-6430 is a security vulnerability discovered in Mozilla Firefox versions prior to 140 and Firefox ESR versions prior to 128.12. The vulnerability was disclosed on June 24, 2025, and involves a flaw where the Content-Disposition header directive is ignored when a file is included via an <embed> or <object> tag, potentially exposing websites to cross-site scripting attacks (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) (NVD). The vulnerability specifically occurs when the Content-Disposition header, which is meant to specify file download behavior, is bypassed through the use of <embed> or <object> tags in the HTML content.

When exploited, this vulnerability could make websites vulnerable to cross-site scripting (XSS) attacks. The moderate impact rating suggests that while the vulnerability presents a significant security risk, it requires user interaction and has limited potential for damage (Mozilla Advisory).

The vulnerability has been patched in Firefox version 140 and Firefox ESR version 128.12. Users are advised to update their browsers to these versions or later to mitigate the risk. Red Hat has also released security updates for affected products through RHSA-2025:10181 and RHSA-2025:10184 (Red Hat Advisory).