A critical vulnerability has been identified in multiple products from The, including Firefox and Firefox ESR, which could lead to the exposure of user credentials. The flaw causes the browser to incorrectly handle URLs containing usernames and passwords, sending them in plain text within security reports. An attacker could exploit this to steal credentials for systems using HTTP Basic Authentication, potentially leading to unauthorized access to sensitive corporate resources.

The vulnerability exists in the browser's handling of Content Security Policy (CSP) violation reports. When a webpage with a CSP triggers a violation, the browser sends a report to a designated endpoint. If a user is accessing a resource on that page using a URL that includes HTTP Basic Authentication credentials (e.g., https://username:password@service.example.com), the browser fails to properly sanitize this URL before including it in the CSP report. An attacker can exploit this by crafting a malicious website with a specific CSP policy that intentionally causes a violation. When a user visits this site and is prompted for credentials for a resource, the browser will send the user's full username and password directly to the attacker-controlled reporting endpoint.

This vulnerability is rated as critical severity with a CVSS score of 9.8 due to its low attack complexity and high impact on confidentiality. Successful exploitation could lead to the widespread theft of employee credentials for any internal or external services that rely on HTTP Basic Authentication. This poses a direct risk of unauthorized access to sensitive corporate data, financial systems, administrative panels, and other critical infrastructure. The consequences include potential data breaches, financial fraud, reputational damage, and the compromise of entire network segments if the stolen credentials have elevated privileges.

Immediate Action: Immediately apply security updates to all affected software. All instances of Firefox should be updated to version 141 or later, and all instances of Firefox ESR should be updated to version 128 or later. After patching, it is crucial to monitor for any signs of exploitation attempts that may have occurred and review authentication logs for unusual activity indicating compromised credentials.

Proactive Monitoring: Security teams should configure network monitoring and SIEM solutions to detect and alert on outbound POST requests to unknown or untrusted CSP reporting endpoints. Inspect web proxy and firewall logs for traffic patterns consistent with CSP report submissions containing credential formats (e.g., user:pass@). Monitor authentication systems for a spike in failed logins followed by a successful login from an anomalous IP address, which could indicate the use of stolen credentials.

Compensating Controls: If patching cannot be performed immediately, consider implementing network egress filtering to block connections to suspicious domains that could be hosting CSP reporting endpoints. As a long-term security enhancement, organizations should prioritize migrating services away from HTTP Basic Authentication to more secure modern authentication protocols like OAuth 2.0 or SAML, which are not susceptible to this type of credential leakage.

Public Exploit Available: False

Given the critical severity (CVSS 9.8) and the direct risk of credential exposure, this vulnerability requires immediate attention. We strongly recommend that all organizations prioritize the deployment of the supplied patches for Firefox and Firefox ESR across all corporate endpoints without delay. The simplicity of exploitation significantly increases the likelihood of future attacks, making proactive patching the most effective defense against potential compromise.