CVE-2025-6433: 
NixOS vulnerability analysis and mitigation

CVE-2025-6433 is a security vulnerability discovered in Firefox versions prior to 140, reported by Simon. The vulnerability relates to WebAuthn functionality where a webpage with an invalid TLS certificate could still prompt users to complete authentication challenges, violating the WebAuthN specification's requirement for secure transport without errors (Mozilla Advisory, NVD).

The vulnerability stems from Firefox's improper certificate validation in WebAuthn implementation. When a user visits a webpage with an invalid TLS certificate and grants an exception, the browser incorrectly allows the webpage to initiate WebAuthn challenges, contradicting the WebAuthN specification's requirement for "a secure transport established without errors". The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability has been classified as having a low impact by Mozilla. However, it could potentially allow malicious websites with invalid TLS certificates to bypass security controls and initiate WebAuthn authentication challenges, potentially leading to unauthorized authentication attempts or credential theft (Mozilla Advisory).

The vulnerability has been fixed in Firefox version 140. Users are advised to update to this version or later to mitigate the risk. No specific workarounds were provided for users unable to update immediately (Mozilla Advisory).