CVE-2025-6432: 
NixOS vulnerability analysis and mitigation

CVE-2025-6432 is a security vulnerability discovered in Mozilla Firefox that affects versions prior to 140. The vulnerability was disclosed on June 24, 2025, and specifically impacts the Multi-Account Containers feature. When this feature is enabled, DNS requests could bypass a configured SOCKS proxy under two conditions: when the domain name is invalid or when the SOCKS proxy is not responding (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS 3.1 Base Score of 8.6 (HIGH) by CISA-ADP with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L. It is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The technical nature of the vulnerability involves DNS request handling when the Multi-Account Containers feature is enabled, specifically affecting the proxy configuration behavior (NVD, Wiz).

While Mozilla has rated this vulnerability as having a low impact, CISA-ADP's assessment suggests more significant potential consequences. The primary security impact involves the potential exposure of DNS requests outside the configured SOCKS proxy, which could lead to information disclosure and potential privacy concerns (Mozilla Advisory, Wiz).

The vulnerability has been fixed in Firefox version 140. Users are advised to update to this version or later to mitigate the issue. The fix has been implemented and is available through the standard Firefox update mechanism (Mozilla Advisory).