Cross-site Scripting (XSS) Affecting firefox-debuginfo package, versions <0:128.12.0-1.amzn2023.0.1


Severity

Recommended
high

Based on Amazon Linux security rating.

Threat Intelligence

EPSS
0.07% (22nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-AMZN2023-FIREFOXDEBUGINFO-10693519
  • published11 Jul 2025
  • disclosed24 Jun 2025

Introduced: 24 Jun 2025

CVE-2025-6430  (opens in a new tab)
CWE-79  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 firefox-debuginfo to version 0:128.12.0-1.amzn2023.0.1 or higher.
This issue was patched in ALAS2023-2025-1055.

NVD Description

Note: Versions mentioned in the description apply only to the upstream firefox-debuginfo package and not the firefox-debuginfo package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

When a file download is specified via the Content-Disposition header, that directive would be ignored if the file was included via a &amp;lt;embed&amp;gt; or &amp;lt;object&amp;gt; tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140, Firefox ESR < 128.12, Thunderbird < 140, and Thunderbird < 128.12.

CVSS Base Scores

version 3.1