Closed Bug 1970658 (CVE-2025-6429) Opened 1 year ago Closed 11 months ago

Unexpected URL can be loaded via embed/object elements due to non-strict YouTube URL replacement

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 140+ fixed
firefox139 --- wontfix
firefox140 + fixed
firefox141 + fixed

People

(Reporter: masatokinugawa, Assigned: emk)

Details

(4 keywords, Whiteboard: [client-bounty-form][adv-main140+][adv-esr128.12+])

Attachments

(6 files, 3 obsolete files)

fx_wrong_url_loaded_via_embed.html
799 bytes, text/html
Details
Bug 1970658 - Automated test. r?#dom-core!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1970658 - Apply YouTube embed URL replacement to the path component. r?#dom-core!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1970658 - Apply YouTube embed URL replacement to the path component. r?#dom-core!
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review
Bug 1970658 - Apply YouTube embed URL replacement to the path component. r?#dom-core!
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr128+
Details | Review
advisory.txt
346 bytes, text/plain
Details

When loading a YouTube URL of a particular format via an <embed> or <object> element, Firefox replaces the specified URL. It is done in nsObjectLoadingContent::MaybeRewriteYoutubeEmbed : https:// github.com/mozilla-firefox/firefox/blob/4b584585f7b4ed77738aa20a2d1bc2ba9e8a464f/dom/base/nsObjectLoadingContent.cpp#L508-L603

Here, the first & string contained in the specified URL is replaced with ?: https://github.com/mozilla-firefox/firefox/blob/4b584585f7b4ed77738aa20a2d1bc2ba9e8a464f/dom/base/nsObjectLoadingContent.cpp#L578
However this replacement is not strct and allows fetching unexpected hosts.

The issue can be reproduced via the following HTML. If the PoC works correctly, example.com host instead of the expected YouTube host will be embedded in the subframe.

<embed src="https://example.com&@www.youtube.com/v/lG7U3fuNw3A"></embed>

or

<object data="https://example.com&@www.youtube.com/v/lG7U3fuNw3A"></object>

This can result in embedding unexpected hosts, even if the application embeds the URL from the embed/object tag after validating user-specified URL correctly.

The following is an example of content being loaded from an unexpected host even though the client-side JavaScript validates the specified host and protocol properly.
https://vulnerabledoma.in/fx_wrong_url_loaded_via_embed.html

Flags: sec-bounty?

The URI/URL seems to be parsed correctly, so this may be a bug in DOM.

Group: firefox-core-security → core-security
Component: Security → DOM: Core & HTML
Product: Firefox → Core
Group: core-security → dom-core-security

From reading bug 1258053, it looks like this was related to the Flash plugin so maybe we can remove it? I'm not entirely sure of what the security implications are.

Severity: -- → S2

Interestingly, this rewriting is controlled by a pref and even has a use counter. The use counter only records if a URL could be rewritten, not that there was actually any change from it, but we're getting like 100k hits per day. I haven't looked at use counters before, but that sounds like a lot.

We should use pathQueryRef instead of the entire spec.

Assignee: nobody → VYV03354
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

I'll mark this as sec-moderate, as it sounds like the exploit scenario here is that you are bypassing a site restriction for validating a user-supplied URL, and I think that's what we tend to use for things in that category, like CSP bypasses. I don't think we have a specific csectype for that, however.

Keywords: csectype-other, sec-moderate
Pushed by VYV03354@nifty.ne.jp: https://github.com/mozilla-firefox/firefox/commit/7ef2c4c3642a https://hg.mozilla.org/integration/autoland/rev/cf4ccb536244 Apply YouTube embed URL replacement to the path component. r=dom-core,farre

https://hg.mozilla.org/mozilla-central/rev/cf4ccb536244

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox141: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch
Attachment #9494481 - Flags: approval-mozilla-beta?

:emk, could you complete the uplift request form on the beta uplift request?
It grafts cleanly to ESR128, looks like it's needed there also?

Flags: needinfo?(VYV03354)

firefox-beta Uplift Approval Request

  • User impact if declined: Attackers can load a malicios website in a subframe bypassing site filters
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: Low
  • Explanation of risk level: Only reduced a range of string replacement, automated test is works loccally (not landing yet because this is a security sensitive bug and the test contains a PoC)
  • String changes made/needed: No
  • Is Android affected?: yes
Attachment #9494612 - Flags: approval-mozilla-esr128?

firefox-esr128 Uplift Approval Request

  • User impact if declined: Attackers can load a malicios website in a subframe bypassing site filters
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: low
  • Explanation of risk level: Only reduced a range of string replacement, automated test is works loccally (not landing yet because this is a security sensitive bug and the test contains a PoC)
  • String changes made/needed: no
  • Is Android affected?: yes
Attachment #9494613 - Flags: approval-mozilla-esr115?

firefox-esr115 Uplift Approval Request

  • User impact if declined: Attackers can load a malicios website in a subframe bypassing site filters
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: N/A
  • Risk associated with taking this patch: low
  • Explanation of risk level: Only reduced a range of string replacement, automated test is works loccally (not landing yet because this is a security sensitive bug and the test contains a PoC)
  • String changes made/needed: no
  • Is Android affected?: yes

(In reply to Donal Meehan [:dmeehan] from comment #11)

:emk, could you complete the uplift request form on the beta uplift request?
It grafts cleanly to ESR128, looks like it's needed there also?

Sorry, I didn't find the upload request form. I have filled the form now.

Flags: needinfo?(VYV03354)
Attachment #9494481 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9494612 - Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
Attachment #9494613 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
Attachment #9494613 - Flags: approval-mozilla-esr115+ → approval-mozilla-esr115-
QA Whiteboard: [sec] [uplift] [qa-triage-done-c141/b140]
Flags: qe-verify-
Attachment #9494613 - Attachment is obsolete: true
Whiteboard: [client-bounty-form] → [client-bounty-form][adv-main140+]
Attached file advisory.txt (obsolete) —
Whiteboard: [client-bounty-form][adv-main140+] → [client-bounty-form][adv-main140+][adv-esr128.12+]
Attached file advisory.txt (obsolete) —
Attachment #9495619 - Attachment is obsolete: true
Flags: sec-bounty? → sec-bounty+

I think the advisory is wrong. This bug rewrites a YouTube URL to a different host (e.g. from www.youtube.com to attacker.example.com).
This bug is problematic when YouTube embeds are expected.

Attached file advisory.txt
Attachment #9495625 - Attachment is obsolete: true
Alias: CVE-2025-6429

(In reply to Pulsebot from comment #8)

Pushed by VYV03354@nifty.ne.jp:
https://github.com/mozilla-firefox/firefox/commit/7ef2c4c3642a
https://hg.mozilla.org/integration/autoland/rev/cf4ccb536244
Apply YouTube embed URL replacement to the path component. r=dom-core,farre

Perfherder has detected a devtools performance change from push cf4ccb5362445e499d5f219d115333d85a4c4edf.

If you have any questions, please reach out to a performance sheriff. Alternatively, you can find help on Slack by joining #perf-help, and on Matrix you can find help by joining #perftest.

Improvements:

Ratio Test Platform Options Absolute values (old vs new)
3% damp custom.netmonitor.requestsFinished.DAMP linux1804-64-shippable-qr e10s fission stylo webrender 2,577.99 -> 2,502.55

Details of the alert can be found in the alert summary, including links to graphs and comparisons for each of the affected tests.

If you need the profiling jobs you can trigger them yourself from treeherder job view or ask a performance sheriff to do that for you.

You can run all of these tests on try with ./mach try perf --alert 45690

The following documentation link provides more information about this command.

Keywords: perf-alert
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: