CVE-2025-8031: 
NixOS vulnerability analysis and mitigation

CVE-2025-8031 is a security vulnerability discovered in Mozilla Firefox and Thunderbird browsers where the username:password part was not correctly stripped from URLs in Content Security Policy (CSP) reports. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. The issue was reported by Tom Schuster and was disclosed on July 22, 2025 (Mozilla Advisory).

The vulnerability stems from an implementation flaw in how the browser handles URL stripping in CSP reports. When generating CSP reports, the browser failed to properly remove authentication credentials (username:password) from URLs, potentially exposing HTTP Basic Authentication credentials. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could lead to the exposure of HTTP Basic Authentication credentials through CSP reports. This could potentially allow attackers to gain unauthorized access to protected resources by intercepting these credentials. The impact is rated as moderate according to Mozilla's security advisory (Mozilla Advisory).

The vulnerability has been fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. Users are advised to update their browsers to these versions or later to mitigate the vulnerability (Mozilla Advisory, Red Hat).